Agents Disconnected After Agent Upgrade

292 views
Skip to first unread message

Khul Sat

unread,
Apr 17, 2023, 4:31:16 AM4/17/23
to Wazuh mailing list
Hello!!!
Greetings!

Accidentally majority of agents got upgraded from version 4.3.10 to 4.4.0. After reading few articles, got to know that higher version of wazuh-agent is not supported by wazuh-manager. Meantime I noticed that major chunk of agents are in disconnected state hence I downgraded the agents back to 4.3.10. I was hoping that disconnected agent will come back to active state post agent downgrade but nothing happened.

I checked and did not find anything in agent logs. I am able to telnet wazuh manager at port 1515 / 1514.

Please help me in rectifying this. Thank you very much in advance!!!

Regards, KS
 

Khul Sat

unread,
Apr 17, 2023, 5:30:38 AM4/17/23
to Wazuh mailing list
UPDATE:

One thing I have noticed is that, few of the agents which got upgraded, got reregistered with manager with different agent ID. Old agent ID shows as disconnected & and new one as active.

Pedro Nicolás Gomez

unread,
Apr 17, 2023, 9:14:15 AM4/17/23
to Wazuh mailing list

Hi Khul,

What could have happened is that the agents momentarily lost communication with the manager, this generates that after 5 consecutive failed connection attempts the agent requests a new key and this causes the agent to change its ID.

In version 4.3 a new functionality was added to control these cases, so that depending on the configuration the re-registration of the agents will be allowed/blocked, this functionality is configured through the <force> block.



The new block is <force> which is configured inside <auth> (manager)


<auth>

  …

  <force>

    <enabled>yes</enabled>

    <disconnected_time enabled="yes">1h</disconnected_time>

    <after_registration_time>1h</after_registration_time>

    <key_mismatch>yes</key_mismatch>

  </force>

  …

</auth>


Enabled: Toggles whether or not to force the insertion of an agent if there is a duplicate name or IP address. This will remove the old agent with same name or IP address.


disconnected_time: This option, when enabled, specifies that the replacement will be performed only for agents that have been disconnected longer than the value configured in the setting. This option should be disabled to replace any agent regardless of its state.


after_registration_time: Specifies that the agent replacement will be performed only when the time passed since the agent registration is greater than the value configured in the setting.


key_mismatch: This option defines that the agent replacement occurs when the key held by the agent is different from the one registered by the manager.


You can find detailed information about the force block in this link:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#force

I hope it helps.
Best regards,

Pedro Nicolas.

Khul Sat

unread,
Apr 17, 2023, 11:28:29 PM4/17/23
to Wazuh mailing list
Hello Pedro Nicolas!
Thank you for sharing the info which I was completely unaware of. This is informative.

Howerver, please share your expert thoughts on the agents which are still showing as disconnected even after 2 3 days. While searching for an answer, I browsed a lot and somewhere I read that agents running on higher version causes Wazuh's DB to act abnormal. Is it true? Do I need to recreate/rebuild the Wazuh database?

Regards, KS
Reply all
Reply to author
Forward
0 new messages