Default Agent ID 000 | Agent Name | Syslog Integration
404 views
Skip to first unread message
John Carry
Jan 27, 2023, 2:54:31 AM1/27/23
to Wazuh mailing list
Hello Team,
Your prompt and professional support is always appreciated, you guys are doing great Job.
As already know that Agent is assigned default ID of 000 and Name of Server itself i-e localhost.xxx in my case, I want to know is there a way we can change the agent ID or at least the agent name so that it is viewed in a more effective way.
If there is possibility then please share the reference steps.
Regards,
John
Message has been deleted
Cedrick Foko
Jan 27, 2023, 5:54:06 AM1/27/23
to Wazuh mailing list
Hi John,
Thank you for using Wazuh!
Information shown on the dashboard about agents are read from /var/ossec/queue/db/global.db database.
If you want to change the name displayed for any agent, you should change it in that database following this process:
-Stop wazuh-manager service
systemctl stop wazuh-manager
-Open the global.db file using sqlite3
cd /var/ossec/queue/db/
sqlite3 global.db
-Change the name of the agent in agent table
update agent set name='<new_name>' where id=<agent's_id>;
-Restart the wazuh-manager service
systemctl start wazuh-manager
Alternatively, you can use API insert endpoint to re-enroll your agents with new names and keeping the same ID. More information in the documentation.
I hope this will help solving your issue.
Don't hesitate to ask if you have any other question.
Thank you for using Wazuh!
Information shown on the dashboard about agents are read from /var/ossec/queue/db/global.db database.
If you want to change the name displayed for any agent, you should change it in that database following this process:
-Stop wazuh-manager service
systemctl stop wazuh-manager
-Open the global.db file using sqlite3
cd /var/ossec/queue/db/
sqlite3 global.db
-Change the name of the agent in agent table
update agent set name='<new_name>' where id=<agent's_id>;
-Restart the wazuh-manager service
systemctl start wazuh-manager
Alternatively, you can use API insert endpoint to re-enroll your agents with new names and keeping the same ID. More information in the documentation.
I hope this will help solving your issue.
Don't hesitate to ask if you have any other question.
John Carry
Jan 27, 2023, 9:46:35 AM1/27/23
to Wazuh mailing list
Hello cedric,
Thanks for your response, I understood your explanation, but the problem is we have multiple agents having ID as 000 so the only unique parameter to identify agent through your method seems the field location, you are requested to share the required steps using location or you are requested to recommend other steps if possible.
Regards,
John
John Carry
Jan 30, 2023, 11:11:14 AM1/30/23
to Wazuh mailing list
Hello Team Wazuh,
Can we have the response ?
John Carry
Feb 1, 2023, 5:46:57 AM2/1/23
to Wazuh mailing list
Hello Wazuh Team,
Waiting for response from your end.
Cedrick Foko
Feb 1, 2023, 11:20:31 AM2/1/23
to Wazuh mailing list
Hi John,
Sorry for the late response.
- It is unusual having many agents with the same ID on the dashboard. In that case, API insert endpoint is a good alternative.
- The id used for requests in sqlite3 is not the same as the one seen on the Wazuh dashboard. The ones in global.db database are integers and are primary keys for the agent table. So you cannot have many agent with the same ID in the database.
I hope these information will help.
Let me know if any other doubt arises.
Reply all
Reply to author
Forward
0 new messages