Port forwarding on the host with wazuh manager.

731 views
Skip to first unread message

Ilya Student

unread,
May 19, 2023, 1:44:31 PM5/19/23
to Wazuh mailing list
Good day to everyone. I have the following problem, access to the server where wazuh manager is installed is carried out through a proxy, each port (including tcp, udp) opens to the external network separately through the web interface for interface management. Therefore, I specified in the configuration file of  wazuh agent  instead of port 1514 - 5220, since the server is forwarding the port from 5220 to 1514. However, I do not understand how to deal with port 1515, since the wazuh agent is registered, but no further data transfer is carried out, I observed the corresponding errors both in the wazuh manager logs and in the wazuh agent logs. Please tell me how to solve this problem, if possible. 
Log from Wazuh Manager  
2023/05/19 16:48:20 wazuh-authd: INFO: New connection from                                                2023/05/19 16:48:20 wazuh-authd: INFO: Received request for a new agent (HTTP_SSH_Honeypot) from:          2023/05/19 16:48:20 wazuh-authd: WARNING: Duplicate name 'HTTP_SSH_Honeypot', rejecting enrollment. Agent '001' doesn't comply with the registration time to be removed.

Log from Wazuh Agent
023/05/19 19:44:57 wazuh-agentd: ERROR: Duplicate agent name: HTTP_SSH_Honeypot (from manager)                         2023/05/19 19:44:57 wazuh-agentd: ERROR: Unable to add agent (from manager)                                             2023/05/19 19:45:07 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: ''.     2023/05/19 19:45:07 wazuh-agentd: WARNING: Unable to connect to any server.                                             2023/05/19 19:45:07 wazuh-agentd: INFO: Closing connection to server ([]:5511/tcp).                       2023/05/19 19:45:07 wazuh-agentd: INFO: Trying to connect to server ([]:5511/tcp).                        2023/05/19 19:45:17 wazuh-agentd: INFO: Closing connection to server 

Diego Ariel Balbuena

unread,
May 19, 2023, 3:11:19 PM5/19/23
to Wazuh mailing list
Hi Ilya, thank you for sharing with the community!


Please can you share with us further information about the Wazuh version and how the proxy is configured for these connections?
  • How does the proxy handle the connections?
  • Are they source NATed?
  • Are they proxied at the application or network level?
According to the architecture documentation, port 1515 is proposed for Agent enrollment service.

Please follow the guidelines for Testing communication with the Wazuh manager

Could it be possible that every agent tries to connect with the same source IP?
  • Check the use_source_ip in the <client> configuration in Wazuh agent
  • Check the use_source_ip in the <auth> configuration in Wazuh manager
Finally, please check the Agent Life Cycle docs in order to identify a possible agent duplication as the logs show.

I hope this helps!
Diego

Ilya Student

unread,
May 19, 2023, 3:55:22 PM5/19/23
to Wazuh mailing list
Hi, Diego, The Wazuh version is 4.4. Yes, a NATed proxy is used for forwarding from an external IP to another internal one: to access the server via TCP port 80, I have the following rule written: Wazuh_Manager_Server_IP_External:5449 -> Wazuh_Manager_Server_IP_Internal:80. To establish the connection between agent and manager, I created similar rules for TCP ports 1514 and 1515. At the moment I am trying to connect only one Agent. In the Wazuh dashboard, I get a message that the agent is registered, but no data comes from it (in the ossec.conf of Wazuh Agent, I specified port 5511, traffic from which is redirected using Nginx Proxy to 1514). I tried to specify the external ports of the Wazuh manager in the config file, from which traffic is redirected to 1514, 1515, respectively.

суббота, 20 мая 2023 г. в 02:11:19 UTC+7, Diego Ariel Balbuena:
Testing_connection.png
Config.png

Ilya Student

unread,
May 19, 2023, 3:56:47 PM5/19/23
to Wazuh mailing list
5511 -> 1514, 5513 -> 1515

суббота, 20 мая 2023 г. в 02:55:22 UTC+7, Ilya Student:

Diego Ariel Balbuena

unread,
May 19, 2023, 6:39:11 PM5/19/23
to Wazuh mailing list
Hi Ilya, thank you for your quick update

Based on the shared configuration I see you have configured two <server> sections in your agent configuration file.

Please check the <server> reference, its definition is: Configures the connection parameters for each server an agent connects to.
It refers to the Agent connection service (port 1514).
You should only configure the IP and Port of the manager where the agent will send the alerts.

Then, as I commented,  port 1515 is proposed for Agent enrollment service. The enrollment parameters and their usage can be found here.

Check the sample configuration.

I hope it helps!
Diego

Diego Ariel Balbuena

unread,
May 19, 2023, 6:40:23 PM5/19/23
to Wazuh mailing list
Remember to check the Agent Life Cycle docs in order to identify a possible agent duplication as the logs show.

Ilya Student

unread,
May 20, 2023, 6:25:50 AM5/20/23
to Wazuh mailing list
Diego, thanks a lot! I've added a block with enrollment to specify port 55xx instead of default 1515, and it all works fine now. That is, the problem was precisely in establishing the connection of the agent with the Wazuh manager, so I do not understand why an error appeared related to the duplication of the agent's name. But, nevertheless, thanks again.

суббота, 20 мая 2023 г. в 05:40:23 UTC+7, Diego Ariel Balbuena:

Ilya Student

unread,
May 23, 2023, 2:24:48 PM5/23/23
to Wazuh mailing list
  Hello again! I have another problem: I configured sending logs from two hosts, but I’m not receiving logs in JSON from one host. The first screenshot shows the configuration of the ossec.conf file on the host, and the other shows my custom ruleset settings for event processing. I’ve tested it with my logs, and they have been parsed successfully. I checked that logs are not being transmitted, even in raw form, to Wazuh Manager. The problem is that the logs specified by default (syslog, apache, and others) are being received successfully, but for some reason these logs are not. Examples of logs that I’m not receiving on Wazuh Manager are listed below. Also, there were no errors in the agent’s log while checking these files.

{"timestamp": "2023-05-21T00:43:05.741783", "server": "ftp_server", "action": "connection", "src_ip": "71.6.134.232", "src_port": "35654", "dest_ip": "My_IP", "dest_port": "21"}

 

{"timestamp": "\"2023-05-20 22:15:39.095655\"", "hostname": "vm2285790", "src_ip": "167.94.138.159", "src_port": "24016", "dst_ip": "MY_IP", "dst_port": "16012", "protocol": "TCP", "type": "IP", "trail": "167.94.138.159", "info": ""mass scanner" (static)"}  
суббота, 20 мая 2023 г. в 17:25:50 UTC+7, Ilya Student:
que_3.png
que_2.png
que_1.png
que_4.png
Message has been deleted
Message has been deleted

Ilya Student

unread,
May 23, 2023, 2:28:04 PM5/23/23
to Wazuh mailing list

**Phase 1: Completed pre-decoding.

            full event: '{"timestamp": "\"2023-05-20 22:15:39.095655\"", "hostname": "vm2285790", "src_ip": "167.94.138.159", "src_port": "24016", "dst_ip": "-", "dst_port": "16012", "protocol": "TCP", "type": "IP", "trail": "167.94.138.159"}'

 

**Phase 2: Completed decoding.

            name: 'json'

            dst_ip: '-'

            dst_port: '16012'

            hostname: 'vm2285790'

            protocol: 'TCP'

            src_ip: '167.94.138.159'

            src_port: '24016'

            timestamp: '"2023-05-20 22:15:39.095655"'

            trail: '167.94.138.159'

            type: 'IP'

 

**Phase 3: Completed filtering (rules).

            id: '100011'

            level: '11'

            description: '167.94.138.159 tried to connect with port 16012 of receiver.'

            groups: '["Cowrie_logs"]'

            firedtimes: '1'

            mail: 'false'

**Alert to be generated.

среда, 24 мая 2023 г. в 01:24:48 UTC+7, Ilya Student:
Reply all
Reply to author
Forward
0 new messages