Agent Enrollment | Validation
79 views
Skip to first unread message
John Carry
Feb 16, 2023, 2:55:11 AM2/16/23
to Wazuh mailing list
Hello Wazuh Team,
Hopefully you are doing great, I have an query regarding the agent enrollment backend working...
Please try to answer below mentioned points:
1) What parameter is validated when agent is enrolled to wazuh either its IP or hostname?
2) What if we want to enroll agent by a custom Name instead of default hostname?
3) Best practice to integrate a agent with wazuh manager?
Issues:
We have integrated several agents to wazuh but some them are showing duplications in a way that the earlier which is in disconnected state is identified by Hostname and the duplicate one is identified by username, so I want o ask what is causing this issue? Why after some time duplicates are created with different names but IP remains the same?
Cedrick Foko
Feb 16, 2023, 3:41:11 AM2/16/23
to Wazuh mailing list
Hi John,
Thank you for using Wazuh.
- The first parameter used to identify agent during enrollment process is its ID. The name must be different also, meaning that you cannot have many agents with the same name. The validated parameter is then the agent's name because IDs are generated automatically and incremented by 1 for every enrollment.
- By default, agents are enrolled with their hostname, but you can use a custom name for enrollment with -A parameter for agent-auth program. More information here:
agent-auth - Tools · Wazuh documentation
- Sometimes, agents need to be enrolled manually. Always make sure your agent's ossec.conf file contains manager's IP address. More information here:
Enrollment via agent configuration - Wazuh agent enrollment
Also, always make sure agent's client.keys file contains a key and that it is the same with the one found in manager's client.keys file for the agent.
If duplicates agents are created with different names, it means auto-enrollment is enabled in the agent's configuration. When this option is enabled, the agent continuously sends enrollment requests to the manager. When manager receives the request, it provides a new key, save the new configuration and set the previous one as disconnected.
To disable this option, open your agent's ossec.conf file, find <auto-method> tag in <enrollment> bloc and set its value to no. Then restart your wazuh-agent service: systemctl restart wazuh-agent (on Linux) or Restart-Service -Name wazuh (on Windows powershell)
To disable this option, open your agent's ossec.conf file, find <auto-method> tag in <enrollment> bloc and set its value to no. Then restart your wazuh-agent service: systemctl restart wazuh-agent (on Linux) or Restart-Service -Name wazuh (on Windows powershell)
I hope you find this helpful.
Don't hesitate to ask if you have any other question.
Reply all
Reply to author
Forward
0 new messages