Incorrectly formatted message from agent

[mpo]

Hello,

I am having an issue with my communication between the server and agent.

Partial Log:

2018/09/10 18:00:30 ossec-remoted: ERROR: (1403): Incorrectly formatted message from agent '036' (host 'ip').

2018/09/10 18:03:37 ossec-remoted: ERROR: (1403): Incorrectly formatted message from agent '036' (host 'ip').

i check this link http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do

and i done step by step methods.

but nothing happened. keys is correct and ip is any. i have a old agent that works fine and its ok.

but when i want add new agent this problem occur .

i try tcp connection method also, but nothing.

Thanks!

best regards

[jesus.g...@wazuh.com]

Hi @mpo,

I need to know the version from the Wazuh manager and the version from the Wazuh agent to give you a better assistance

because we have changed ciphers and a few other things depending on your version.

In the mean time I'm going to help you explaining how to remove the agent and registering it again:

1. Remove the agent in the Wazuh manager (manager machine):

/var/ossec/bin/manage_agents -r 036

2. Stop the agent (agent machine):

/var/ossec/bin/ossec-control stop

3. Start authd in the Wazuh manager (manager machine):

// 3.1 Check if authd is already running
ps aux | grep authd
// root      5383  3.0  0.0 177508  3768 pts/1    Sl+  09:14   0:00 /var/ossec/bin/ossec-authd

// 3.2 Start authd if it's not running
/var/ossec/bin/ossec-authd

4. Register the agent using authd (agent machine):

/var/ossec/bin/agent-auth -m <manager_ip>
2018/09/11 09:15:34 agent-auth: INFO: Started (pid: 31647).
WARN: No authentication password provided.
INFO: Connected to 192.168.1.193:1515
INFO: Using agent name as: jesus-msi
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.

I'm assuming you have modified the ossec.conf file in the agent machine to replace MANAGER_IP by the manager IP.

Regards,

Jesús

[jesus.g...@wazuh.com]

Hello again,

Forgot to say you must restart both services once you are done:

systemctl restart wazuh-manager

and

systemctl restart wazuh-agent

Regards,

Jesús

[mpo]

Dear Jesús

thanks for reply

the manager version is : Wazuh v3.4.0 - Wazuh Inc. (in...@wazuh.com)

and the agent version is : Wazuh v3.6.1 - Wazuh Inc.

i re add the agent with your method (my auth manager donst work without password so i just use password)  but nothing happend.

its partial of my new ossec.log of manager :

2018/09/12 09:56:41 ossec-remoted: ERROR: (1403): Incorrectly formatted message from agent '037' (host 'agent_ip').

thanks again

and best regards

[jesus.g...@wazuh.com]

Hi @mpo,

The Wazuh manager version must be greater or equal than the Wazuh agent version. Also the Wazuh agent 3.6.1 uses a different cipher for communicating

that is not accepted by Wazuh manager 3.4.0. At this point, my suggestion is to upgrade your Wazuh manager or downgrade your agent.

• Upgrading same major: 
• https://documentation.wazuh.com/current/installation-guide/upgrading/latest_wazuh3_minor.html#upgrading-latest-minor
• Product compatibility: 
• https://documentation.wazuh.com/current/installation-guide/compatibility_matrix/index.html#product-compatibility

I hope it helps.

Regards,

Jesús

[mpo]

thanks it works

best regars

[jesus.g...@wazuh.com]

Ok @mpo, happy to help.

Regards!

[Simon Tideswell]

BTW the upgrade documentation mentioned above suggests upgrading in the following order agent -> manager -> ELK. Clearly this is now wrong and it's an understandable mistake to have proceeded to upgrade the agent first.

Simon

[jesus.g...@wazuh.com]

Hi Simon,

That's right, I've just created a ticket for the https://github.com/wazuh/wazuh-documentation repository, see https://github.com/wazuh/wazuh-documentation/issues/429 for details.

Indeed, you must upgrade the manager instances before the agents. 

One more time, thanks for your feedback. We really appreciate our community.

Regards,

Jesús