Hi M Barbero
Like @sc-chad comments in the issue https://github.com/wazuh/wazuh/issues/125, we don’t have a special feature to do this action, but is in our roadmap.
But you always can use a scripts to do this actions something like the following code obtained from here:
#This is to be run on ossec server, path for ossec is /var/ossec/
file=agents.txt
/var/ossec/bin/agent_control -l > $file
#Wipe working tmp files
rm remove.txt
rm removed.txt
echo -n "" > remove.txt
echo -n "" > removed.txt
#Find Disconnected agents
while IFS= read -r line
do
ids=$(echo $line | awk '{print $2}')
status=$(echo $line | awk '{print $NF}')
if [ "$status" == "Disconnected" ]; then
echo $ids >> remove.txt
fi
done < "$file"
#Find Never connected agents
while IFS= read -r line
do
ids=$(echo $line | awk '{print $2}')
status=$(echo $line | awk '{ if (NF > 1) print $(NF-1),$NF ; else print $NF; }')
if [ "$status" == "Never connected" ]; then
echo $ids >> remove.txt
fi
done < "$file"
#Remove commas
sed 's/.$//' remove.txt > removed.txt
#Remove agents with IDs in removed.txt file
file2=removed.txt
## If you are runnign wazuh 2.0 and ossec-authd you need to turn off ossec-authd before remove the agents.
while IFS= read -r line
do
/var/ossec/bin/manage_agents -r "$line"
done < $file2
## Then don't forget to turn on ossec-authd again.
#Restart OSSEC service
/var/ossec/bin/ossec-control restart
#End
Where you will remove ALL agents disconnected or never connected so need to BE VERY CAREFUL
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7f747a01-6c2e-4a11-a78c-f268eb8c615f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |
Hi Miguel,
Thats correct, if you are running ossec-authd, you need to stop the service before remove agents.
This is because in some cases, at the same time you are removing one agent, ossec-authd is adding other, and both process can write the file client.keys at the same time and this can cause some problems (we are talking about huge environments).
So this is why we block the remove agents when ossec-authd is enabled, however we are working in fix this problem in next releases.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6556fa39-70dc-4851-b0e2-8886c83a2dad%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6556fa39-70dc-4851-b0e2-8886c83a2dad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAORR07a9%2BaPodPtorjLE_MCSdo%2Bspab7EJAvKbipz1wAOLN0ww%40mail.gmail.com.
Hi Miguel,
Thats correct, if you are running ossec-authd, you need to stop the service before remove agents.
This is because in some cases, at the same time you are removing one agent, ossec-authd is adding other, and both process can write the file client.keys at the same time and this can cause some problems (we are talking about huge environments).
So this is why we block the remove agents when ossec-authd is enabled, however we are working in fix this problem in next releases.
On May 12, 2017 at 3:34:41 AM, Miguel Barbero (mbar...@xmltravelgate.com) wrote:
Good morning again,sorry, I didn't remember that I had changed the foo password.Fixed that I notice that I get a similar message error:$ curl -u foo:password -k -X DELETE http://127.0.0.1:55000/agents/002{"error":1704,"message":"Adding/removing agents via API when ossec-authd is running is not compatible."}It seems I am forced to stop ossec-authd service temporarily, am I not?Kind regards."
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |
./clean-agents.sh -d +0
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAAarQVOhnP3S0H9DtcwfFYKN4E2uLwjHsdAzra4K4bw6Qegfeg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |
if [ $NAME != "Wazuh" ] || [ ${VERSION:0:2} = "v1" ] || [ ${VERSION:0:4} = "v2.0" ] then stopauth
if [ $NAME == "Wazuh" ] && ( [ ${VERSION:0:2} = "v1" ] || [ ${VERSION:0:4} = "v2.0" ] ) then stopauth
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |
if [ $NAME != "Wazuh" ] || [ ${VERSION:0:2} = "v1" ] || [ ${VERSION:0:4} = "v2.0" ]
![]() | Miquel Barbero DevOps Engineer- XML Travelgate Tel: + 34 34 871 968 181 | Ext: 110 | |