Hello Eugenia
There is no functionality as such that allows you to change the name of an already registered agent, but the following workarounds can be done to achieve this:
Delete the agent and register it again with a new name (inconvenience: wazuh-agent
has a new ID)
First, we stop the wazuh-agent
we want to rename:
systemctl stop wazuh-agent
Next, we remove the wazuh-agent
from the wazuh-manager
. For this we can use for example the CLI tool /var/ossec/bin/manage_agents
of the wazuh-manager
. More info about removing agents: https://documentation.wazuh.com/current/user-manual/agents/remove-agents/remove.html
Once deleted, we have to register the agent with the new name.
We can do this in two different ways:
Using ossec.conf
<enrollment>
configuration
The following configuration block must be added to the ossec.conf
file of the wazuh-agent
(more information at https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?#agent-name):
<enrollment>
<agent_name>your_new_name</agent_name>
</enrollment>
Then start the wazuh-agent
and wait a few seconds until the wazuh-agent
requests a new key and registers with the new name but with a different ID.
Registering manually with the agent-auth
tool.
In the wazuh-agent
, we can execute the command (more info at https://documentation.wazuh.com/current/user-manual/reference/tools/agent-auth.html):
/var/ossec/bin/agent-auth -m <WAZUH-MANAGER-IP> -A <YOUR_NEW_AGENT_NAME>
and then start the `wazuh-agent:
systemctl start wazuh-agent
Note: The disadvantage of this process is that the agent will have a new ID after this process.
Re-register the agent using the POST API endpoint /agents/insert (from versions >= 4.3.0)
Disclaimer: There is an open issue https://github.com/wazuh/wazuh/issues/8760 where a bad agent status is reported after performing this process. I advise not to use this method until this issue is solved in the next versions. I mention this for visibility, as this would solve the problem of the agent having a new ID.
In this case, using the POST /agents/insert
API endpoint you can re-register the agent under the same ID and with a different name. More info at https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent
The process would be to make a request to the API with the following payload:
{
"id": "001",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"name": "new_agent_name",
"ip": "any",
"force": {
"enabled": true,
"disconnected_time": {
"enabled": false
},
"after_registration_time": "0s"
}
}
You will see something similar to the following as a response:
{
"data": {
"id": "001",
"key": "<KEY>"
},
"error": 0
}
where key
is the wazuh-agent
key. This key needs to be imported in the wazuh-agent
. Have a look at importing the key to the agent documentation.
For example, you can do it easily running in the wazuh-agent
:
/var/ossec/bin/manage_agents -i <NEW_KEY>
After following the steps and restarting the wazuh-agent
, the wazuh-agent
name is updated.
Remember that this method does not seem to work properly yet, so in case it is necessary to use it, keep an eye on the issue mentioned https://github.com/wazuh/wazuh/issues/8760.
I hope this information is helpful.
Try it and let us know the results.
Best regards.
Hello team, Is it possible to rename Wazuh agent after it has registered?Best Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAJyqYo-_CEExmaWGhO7%2BfmNZU9a1%3D83vus1pB3dhy4bNsb%2BM9Q%40mail.gmail.com.