Adding a wazuh-agent does not work correctly

[Filip Francis]

Hi all,

I am trying to add a wazuh-agent in wazuh 4.7.3 and there are a couple of things that is not populated correctly this is the command that i am using on the client host

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb && sudo WAZUH_MANAGER='x.x.x.x' WAZUH_AGENT_GROUP='Debian,Linux' WAZUH_AGENT_NAME='piholemain' dpkg -i ./wazuh-agent_4.7.3-1_amd64.deb

SO following things are not populated at all 

-) WAZUH_MANAGER is not populated in ossec.conf file keeps filling up with MANAGER_IP

-) WAZUH_AGENT is not being used in the wazuh dashboard it defaults each time to the actual name of the agent

-) also the agent i not being populated in the correct groups it keeps populating in default

    But my variable is WAZUH_AGENT_GROUP='Debian,Linux'

So is this a BUG? or am i doing something wrong

egards

Filip

[Santiago Padilla Alvarez]

Hi,
reproducing your case that happens because of the order in which the commands are executed.
To make a correct installation of a linux agent of Wazuh 4.7.3 I recommend you to follow the Wazuh documentation, in this guide where each step is explained and detailed.

I hope it will help you!
Thanks for using Wazuh!
Best Regards!

[Renzo Geelhoed]

Hi,

I experienced the same issue. Just copied the command in the add agent field in the wazuh interface. So it is indeed a bug but then not in the agent but in the generated command in the Wazuh manager.

Not a big problem, but can take a while to figure this out.

Kind regards,

Renzo

[Santiago Padilla Alvarez]

Hi,
This happens because on the machine where the command is being executed, the previous agent has not been correctly deleted or an attempt has been made to install an agent previously.
For the command to work correctly the agent must be properly uninstalled and the ossec.conf configuration file must not exist, for this it is advisable to follow the Wazuh uninstallation guide detailed here.
Once the agent is properly uninstalled, you can run the command and it will work without any problem.
I hope this is helpful!
Best Regards!

[Santiago Padilla Alvarez]

Hi,
Is it possible that you have previously installed an agent?
Could you tell me what steps you have followed for the installation and what OS you are testing?
So I can try to reproduce your use case, thanks!

[Renzo Geelhoed]

Hi, there is not a previously installed agent, I installed it on 2 different newly build virtual servers. There is not any error when you run the command, but when you try to start the agent it fails due to uncomplete config. If you then open the agent config you see that the manager server has no address. When you correct this, the agent can start and works fine.

Kind regards,

Renzo 

[Santiago Padilla Alvarez]

Hi Renzo,
In order to reproduce the bug,
could you please tell me the steps and the method you have used for the installation and which operating system you have used?
Thanks!
Best regards!

[Renzo Geelhoed]

Hi,

I click in the Wazuh manager on agents>add agent. I choose Linux DEBamd64, fill in the server address, and click on copy command. Output of this is:

wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.3-1_amd64.deb && sudo WAZUH_MANAGER='192.168.11.250' dpkg -i ./wazuh-agent_4.7.3-1_amd64.deb

which looks ok to me.

I paste this in a new Debian bookworm 12.5 LXC container in Proxmox. It then downloads and installs the agent. But the ossec.conf has MANAGER_IP on the place where the 192.168.11.250 should be.

If I manually fill this in, then the agent can start and register itself in the manager.

Kind regards,

Renzo

--

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/HBXTJ1ozH-k/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d76120bb-ba45-4c40-8811-75133f60d7e9n%40googlegroups.com.

[Santiago Padilla Alvarez]

Hi,
I just replicated it on a Debian LXC machine, and I have seen the following:
When launching a new LXC machine it does not come with "sudo" installed by default therefore when using the command you told me to download and install the agent "wget ..."
we get the error "bash: sudo: command not found" and when entering the file /var/ossec/etc/ossec.conf we see how the ip of the manager is still as "MANAGER_IP".
To install "sudo" we can do it using these commands:
apt-get update
apt-get install sudo
I have also had an error for not having installed the lsb-release dependency that is installed by apt-get install lsb-release.
Having sudo installed and without agent or with the agent completely uninstalled, we execute the command you told me "wget ..." and everything works correctly.
Could you confirm me if your case was due to this?
Thanks!

[Renzo Geelhoed]

Hi,

Yes, that was the case for me too. Sudo was not installed so I ran it without sudo. Also I had to install lsb-release, also without sudo. Install was without error so I thought it was ok.

I did not try to install sudo first. Maybe that was the problem indeed.

Thanks for your investigation!

Kind regards,

Renzo

On 29 Apr 2024, at 11:26, 'Santiago Padilla Alvarez' via Wazuh | Mailing List <wa...@googlegroups.com> wrote:

Hi,

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a236f554-914a-425c-afd0-91cae2df669fn%40googlegroups.com.

[Willie Poku]

I running into this same problem on proxmox PVE. I installed the server on a VM in PVE and I am able to see the dashboard but no agent is able to register after running the script on the agents. 

[Willie Poku]

I am running into this same problem. I have the server running in a VM on PVE. I have registered several clients, Kali Linux, Linux, Ubuntu, MacBook Pro and yet, none of them is able to connect to Wazuh for monitoring. I followed the instructions above and yet, no connection. I am able to ping the server IP address from any of the machine on the subnet. 

On Monday, April 29, 2024 at 7:58:56 AM UTC-4 Renzo Geelhoed wrote: