wazuh@googlegroups.com

Jairus Noel

unread,

Jun 30, 2022, 4:22:06 PM6/30/22

to Wazuh mailing list

Hi Team,

We have one Wazuh manager and 3 worker nodes for 3 different regions,

We are seeing issues with communication with many agents in wazuh console. We observed that agents are not picking up DHCP IP addresses properly, due to which many agents are showing as disconnected. For example

In the below attachment we see same IP address is assigned to 2 machines, but only one is showing active however the other machines are live on the network. This has been confirmed by other endpoint resources we use like Symantec, Qualys, etc.,

wazuh log.PNG

Jairus Noel

unread,

Jun 30, 2022, 4:23:11 PM6/30/22

to Wazuh mailing list

Why wazuh is not picking the workstations when the IP address is changing as per DHCP IP allocation? We see challenges with many machines as they are showing as disconnected.

Gonzalo Membrillo Solbes

unread,

Sep 16, 2022, 9:02:03 AM9/16/22

to Wazuh mailing list

Hello Jairus,

Wazuh has a setting in its configuration that allows it to identify agents by their IP. So, if 2 agents have the same IP, it will connect the first agent to go online and consider the second a duplicate by default. You can turn this off by editing your manager's configuration file. You can access it via the Wazuh Dashboard or by opening it with a text editor with the following command:

vi /var/ossec/etc/ossec.conf

Once you have the file open, look for the field that says < use_source_ip>yes</ use_source_ip> and change the value to no.

This should stop Wazuh from identifying agents via their IP and should connect any agents with duplicate IPs.

I hope you find this helpful. Feel free to contact us should you require to do so.