Cannot find the ID of the agent. Source agent ID is unknown.

63 views
Skip to first unread message

teodorescu radu

unread,
Apr 8, 2024, 6:58:54 AM4/8/24
to Wazuh | Mailing List
Hello,

Hello team,
I am using Wazuh 4.7, i just installed it. I am trying to send logs from a Fortigate Firewall into the Wazuh and i am receiving this errors:
Ip 10.20.20.1 is the Fortigate ip.

Apr 6, 2024 @ 10:54:33.000 wazuh-remoted WARNING (1213): Message from '10.20.20.1' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.

Checking online for solutions , it seems that is related to the cluster config in ossec.conf. I tried to comment the line disabled to YES, but is not working, i am receiving the error below. Please help.

-------------------------------Error-----------------
Error: Could not update configuration (1908) - Error validating configuration
at Function.returnErrorInstance (https://10.20.20.7/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:186528)
at Function._callee2$ (https://10.20.20.7/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:184748)
at tryCatch (https://10.20.20.7/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:786910)
at Generator.invoke [as _invoke] (https://10.20.20.7/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:790926)
at Generator.next (https://10.20.20.7/47302/bundles/plugin/customImportMapDashboards/customImportMapDashboards.plugin.js:13:788105)
at asyncGeneratorStep (https://10.20.20.7/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178377)
at _next (https://10.20.20.7/47302/bundles/plugin/wazuh/wazuh.plugin.js:1:178688)


cluster configuration:

image

Best Regards,

Radu

Stuti Gupta

unread,
Apr 9, 2024, 12:47:59 AM4/9/24
to Wazuh | Mailing List
Hi teodorescu radu

This log message appears because Wazuh Manager, remoted daemon, receives a package coming from an IP address that is not allowed. As this IP isn't recognized, the ID of the agent can't be obtained to decrypt the message, this is what the message refers to.

Usually, this happens when an agent is registered with a defined IP and for some reason, it changes it (this has happened a lot during the new home office modality on some companies).

As you may know, agents can be registered with "any" IP or with a specific IP. If the IP address is specified, Wazuh Manager expects that this agent always connects with the same IP.

To know if this is the case, and which agent is having this problem: Did you notice an agent being disconnected when you expect to be connected?
To check this, we can run the following command and check if any of these disconnected agents isn't expected to be in this state.

/var/ossec/bin/agent_control -l | grep Disconnected
If this is the case, probably you have an agent that should be re-registered. You can use the new IP or the "any" IP if this agent will continue changing its IP address.

Please let me know if this helps and if this root cause was correct.

Best regards.

Stuti Gupta

unread,
Apr 10, 2024, 6:10:11 AM4/10/24
to Wazuh | Mailing List
Hi 

Please let me know if this helps
Reply all
Reply to author
Forward
0 new messages