Wazuh agents show wrong IP address in Kibana

[Sandeep Renjith]

Hi Team, 

We have a few Wazuh agents (on Windows and Linux) showing wrong IP address in the Kibana Wazuh app. 

The IP address shown belongs to the first interface in the interface table. However, this interface is only used for a specific use case and does not communicate with Wazuh. 

Is there a way we can configure the agent so that another interface shows up in Kibana?

So far we have tried the below. 

- Remove the agent using manage-agents, re-add using '-I' option in agent-auth. (and restart)

- Replace the IP address manually in client.keys (on agent, server and both)

- Add <local_ip> tag in agents' ossec.conf

Any help would be much appreciated.

[Alejandro Ruiz Becerra]

Hello and thanks for using Wazuh.

My name is Alex and I'll try to help to solve this issue.

The Kibana App shows the information received from the manager's API, so the issue might have its origin during the agents' resgistration process.
In order to check this, please do the following:

1. Open the Wazuh App on Kibana.
2. Navigate to the Tools > API Console.
3. Run GET /agents (should be already there as default). 
4. Check if the IPs shown there are also wrong (most likely).

If preferred, this can be also be checked using the CLI on the manager node, as shown here:

1. Run /var/ossec/bin/manage_agents -l

Since Wazuh 4.0, by default, the agent registers automatically with the manager through enrollment. Configuration details can be found on Enrollment section.

In your case, the configuration field needed is local_ip 

"local_ip: Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces."

I hope this helps you to solve you issue. Please don't hesitate to ask me any other question or problem you encounter, I'll be glad to help.

Have a nice day and weekend.

Alex.

[Sandeep Renjith]

Hi Alex, 

Thanks for the response. 

To clarify, 

1.  We did add local_ip to the agent configuration file and re-registered, restarted etc.
   When the agent is registered after this, till the agent is connected, the desired IP shows up in the Kibana Wazuh app for the agent. However, when the agent becomes active, the IP shown is replaced with the first IP in the interface table. 
2. The IP address used for communication is the right one. The desired IP (second in the interface list) is the one which has a route to the Wazuh manager and is used for communication. We confirmed this with tcpdump. The issue is that the IP address displayed in the Kibana app is not the one used for communication to the Wazuh manager.

Regards,

Sandeep

[Alejandro Ruiz Becerra]

Hi Sandeep,

Thank you for the clarification.

This could be a bug on our side. In order to determine if this is a bug on the Kibana plugin, on the Wazuh API or on any other module that feeds the API I would need you to perform the actions described on my first email, and reply with the results. 

To summarize:

1. Run GET /agents on the API Console of the Wazuh plugin for Kibana. Please tell me if the IPs are right (second interface) or wrong (first interface).
2. If they are wrong, run /var/ossec/bin/manage_agents -l on the manager node and please share the same information as before.

Regards,

Alex

[Sandeep Renjith]

Hi Alex, 

Sorry about the delay in getting back to you on this. Got held up with a lot of different things. 

Below are the outputs for one of the affected agents.

Manage Agents output

# ./manage_agents -l| grep inews

   ID: 127, Name: inews-b, IP: 192.168.30.142

GET /agents output

      {

        "os": {

          "arch": "x86_64",

          "major": "6",

          "minor": "5",

          "name": "Red Hat Enterprise Linux Server",

          "platform": "rhel",

          "uname": "Linux |inews-b |2.6.32-431.el6.x86_64 |#1 SMP Sun Nov 10 22:19:54 EST 2013 |x86_64",

          "version": "6.5"

        },

        "node_name": "node01",

        "name": "inews-b",

        "mergedSum": "2c45c95db2954d2c7d0ea533f09e81a5",

        "ip": "10.0.0.2",

        "id": "127",

        "manager": "XXXXX",

        "dateAdd": "2021-10-28T07:53:16Z",

        "group": [

          "default"

        ],

        "status": "active",

        "configSum": "ab73af41699f13fdd81903b5f23d8d00",

        "registerIP": "192.168.30.142",

        "lastKeepAlive": "2021-11-09T08:21:20Z",

        "version": "Wazuh v4.1.5"

      },

What we see in the registerIP field is the correct one. The one shown in IP field is the one one that shows up on Kibana.

[Alejandro Ruiz Becerra]

Hello again Sandeep,

As long as the agents are communicating with the manager it is fine.

The manager stores the current agent's IP and the IP used during the registration process in order to maintain the restrictions imposed by the use-source-ip property. By default this property is disabled, so "any" is used as IP during the registration process when agent_auth is used, as seen here. The IP is later set automatically when the agent is first connected to the manager.

In order to keep both IPs syncronized, please try to use the manage_agents program instead, on the manager. Follow the instructions described here.

1. Remove the agent using manage-agents: /var/ossec/bin/manage_agents -r <agent_id>

2. Re-add the agent using manage-agents: /var/ossec/bin/manage_agents -a <agent_IP> -n <agent_name>

3. Get the agent's key: /var/ossec/bin/manage_agents -e <agent_id>

4. Add this key to the agent: /var/ossec/bin/manage_agents -i <key>

I hope it helps.

As a last resource, set the use-source-ip property to yes, but note that the communication with the manager could break if the agent changes its IP for whatever reason.

Regards,

Alex.

[Sandeep Renjith]

Hi Alex, 

Thanks for the reply.
We had tried the steps above. I just changed use-source-ip in ossec.conf in the manager and restarted wazuh manager. 
The IP shown in Kibana is still the wrong one. 

The IP shown in Kibana is used for troubleshooting purposes if there is a problem with the client. The IP currently shown doesn't have routes that let us access it in this case. 

Regards,
Sandeep

[Alejandro Ruiz Becerra]

Hi again Sandeep

I've discussed this case internally with the core team, which is in charge of all the low level architecture and processes.
They told me that the agents' IP come from their main network interface, in case there is more than one, as in your case. As you previously pointed out, it is taking the "wrong" interface which I assume is the default on the agent's system. To show the correct IP in Kibana, the network interface which has connectivity with the Wazuh manager should be set as the system's default. The steps required to do this depends on the OS, but as a summary, the default gateway of the network routing table should be changed.

Regards,

Alex