Problems after changing agent ip address

[jorg...@gmail.com]

Hi,

Had to change some IP's from my servers and I followed some instruction that I found on the Mailing list (https://groups.google.com/g/wazuh/c/BVDROfdHCms/m/LQZspL28AAAJ)  but wazuh manager is not "accepting" the changes.

The ossec.log on the manager show this several times:

 ossec-analysisd: WARNING: Rootcheck database '(ServerName) NEW_IP_ADDRESS->rootcheck' has been deleted. Recreating.

The file on /var/ossec/queue/agent-info is missing although I changed the name

Now the agent show as disconnected.

How can I solve this?

Thank you.

[Juan Ricci]

Hello Jorge,

In order to get a better overview of the issue, please let me know:

- The Agent and Manager version

- The operating system(s) where Agents and Manager are running

- The steps you followed to do the IP address change on both sides 

My advice is to reconnect the Agent to the Manager by re-validating the key on both sides:
- From the Manager machine please run: /var/ossec/bin/manage_agents -e <your-agent-id> . This command returns the key that belongs to the selected Agent.
- From the Agent machine please run the following command and use the Agent key returned by the Manager: /var/ossec/bin/manage_agents -i <agent-key> 
- In the Agent machine: check if the <address> tag in the configuration file /var/ossec/etc/ossec.conf  has the Manager's IP address.
- Restart your wazuh-agent by running systemctl restart wazuh-agent or service wazuh-agent restart

Please let me know if this works for you.

[jorg...@gmail.com]

Hi,

Sorry for the delay

I'm using Wazuh 3.9.3 in both

Ubuntu 16.04 LTS in both

I followed this intructions from this link: https://groups.google.com/g/wazuh/c/BVDROfdHCms/m/LQZspL28AAAJ

- Stop the manager. To do this, for example, in the CentOS you will need to run this command: systemctl stop wazuh-manager
- In the manager and agent machines please modify the file /var/ossec/etc/client.keys. There will be four values separated by spaces, and the third value is the IP that you will need to change. On the manager side you will have the list of agents that are registered to this manager, please change the ip value of the agent that you need.
- Rename the name of the file /var/ossec/queue/agent-info/<your-agent-name>-<your-agent-ip> to /var/ossec/queue/agent-info/<your-agent-name>-<your-agent-new-ip>
- Rename the name of the file /var/ossec/queue/rootcheck/<your-agent-name>-<your-agent-ip> to /var/ossec/queue/rootcheck/<your-agent-name>-<your-agent-new-ip>
- Then, restart both your agent and your manager.

I followed your instructions but the problem still persists:

2021/01/11 11:27:26 ossec-analysisd: WARNING: Rootcheck database '(ServerName) ip_address->rootcheck' has been deleted. Recreating.

2021/01/11 11:27:26 ossec-analysisd: WARNING: Rootcheck database '(ServerName) ip_address->rootcheck' has been deleted. Recreating.

2021/01/11 11:27:26 ossec-analysisd: WARNING: Rootcheck database '(ServerName) ip_address->rootcheck' has been deleted. Recreating.

2021/01/11 11:27:26 ossec-analysisd: WARNING: Rootcheck database '(ServerName) ip_address->rootcheck' has been deleted. Recreating.

2021/01/11 11:29:29 ossec-analysisd: WARNING: Rootcheck database '(ServerName) ip_address->rootcheck' has been deleted. Recreating.

And the files /var/ossec/queue/agent-info/<your-agent-name>-<your-agent-ip> and /var/ossec/queue/rootcheck/<your-agent-name>-<your-agent-ip> are missing

Thank you.