Reset Wazuh manager agent database back to 001

2,222 views
Skip to first unread message

Gordon Maene

unread,
Nov 16, 2018, 5:33:34 AM11/16/18
to Wazuh mailing list
Hi Masters

We've successfully built and tested our production platform using Wazuh v3.7.

I've removed the test agents from the Wazuh manager. Is there any way I can reset the Wazuh database so that a new agent will be added as 001?

Thanks for the all the hard work guys, keep it up.

Regards

Gordon

cris...@wazuh.com

unread,
Nov 16, 2018, 7:23:51 AM11/16/18
to Wazuh mailing list
Hello Gordon,

First of all, if authd is running in the manager you'll have to stop it, then you can modify the client.keys file removing the lines of those test agents; if you have removed these agents previously, they will be marked with an '!' at the beginning. The next time you register one it will be assigned the id 001 if you have removed all of them at the client.keys file.

Let me know if this helped you.

Best regards,
Cristina

Gordon Maene

unread,
Nov 16, 2018, 10:29:27 AM11/16/18
to Wazuh mailing list
Hi Cristina

Thanks for your help, I've given it a try, stopped authd on the manager with ossec-authd stop. Removed the agents from client.keys on the manager and agent, restarted authd but I receive an error when manually trying to add an agent. 

I receive this error:

 manage_agents: ERROR: ERROR 9007: Duplicated IP

Anywhere else I can check?

Regards

Gordon

Gordon Maene

unread,
Nov 16, 2018, 10:32:19 AM11/16/18
to Wazuh mailing list
Hi Cristina

A quick update, I managed to add the agent (without getting the duplicate IP error) but it's still not 001.

Thanks for your help.

Regards

Gordon

On Friday, 16 November 2018 12:23:51 UTC, cris...@wazuh.com wrote:

cris...@wazuh.com

unread,
Nov 16, 2018, 11:30:55 AM11/16/18
to Wazuh mailing list
Hello Gordon.

Are you adding the agents with manage_agents or with authd? I need some info for reproducing your issue. What do you have in the client.keys file?

Gordon Maene

unread,
Nov 19, 2018, 2:40:28 AM11/19/18
to Wazuh mailing list
Hi Cristina

I've added agents through manage_agents and authd.

I have this in the client.keys on the manager and agent.

007 ubuntu 10.185.90.91 35ef0a933bb03d5c8a78f54c5eac908213707fdf69998a2015c5b8f458fbc377

Is it a different process to reset back to 001 if I use manage_agents?

Regards

Gordon

Pedro Sánchez

unread,
Nov 19, 2018, 9:50:22 PM11/19/18
to sundes...@gmail.com, wa...@googlegroups.com
Hi Gordon,

The same process is required to reset to 001, both from manage_agents and ossec-authd, the only constraint is to have ossec-authd daemon and ossec-remoted stopped.

Run the commands below to empty the client.keys file, be aware we are removing all keys.

ls -lah /var/ossec/etc/client.keys
/var/ossec/bin/ossec-control stop > /dev/null 
systemctl stop wazuh-manager
> /var/ossec/etc/client.keys
systemctl start wazuh-manager
ls -lah /var/ossec/etc/client.keys

You can paste the output just to verify the client.keys size is 0 bytes after the reset.

I hope it helps, best regards,
Pedro.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d0159cf1-7d85-4124-bdc7-c5ee5735ae2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Gordon Maene

unread,
Nov 20, 2018, 4:37:52 AM11/20/18
to Wazuh mailing list
Hi Pedro

I've followed your steps and that has worked perfectly for me. 

Thanks for yours and Cristina's help.

Very much appreciated.

Regards

Gordon
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Pedro Sánchez

unread,
Nov 21, 2018, 10:03:25 PM11/21/18
to Gordon Maene, wa...@googlegroups.com
Hi Gordon,

I am glad it worked, let us know if you have other questions.
Thanks for your feedback.

Regards,
Pedro.



To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d0159cf1-7d85-4124-bdc7-c5ee5735ae2a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/03e89954-0759-4f90-90f5-6f5ec0f63981%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages