Agent registration issue.

[Gokul Suresh]

Hi Team,

I have been receiving the given warning for a while:

2025/03/26 18:00:09 wazuh-remoted: WARNING: (###): Invalid ID ### for the source ip: '###########' (name 'unknown').
2025/03/26 18:00:23 wazuh-authd: WARNING: Duplicate name '###########', rejecting enrollment. Agent '###' has not been disconnected long enough to be replaced.
2025/03/26 18:00:39 wazuh-authd: INFO: Received request for a new agent (###########) from: ###########
2025/03/26 18:00:39 wazuh-authd: WARNING: Duplicate name '#############', rejecting enrollment. Agent '###' can't be replaced since it is not disconnected.

I would like to know the the exact reason for this warning and also want to know how can I get rid of the given warning.

[Bony V John]

Hi,

The error that you have shared is related to the agent duplicate name issue, This typically occurs when a Wazuh agent tries to re-enroll using a different key while retaining the same agent name. You can follow the troubleshooting steps below to resolve this:
1. Check Network Stability

Ensure there is a stable and reliable network connection between the Wazuh Manager and the agents. If the connection is unstable, agents might try to re-enroll as new agents, which can lead to agent name duplication issues.

2. Check force_reconnect_interval Setting

Have you configured force_reconnect_interval in the Wazuh agent's ossec.conf file or in the shared agent.conf file from the manager?
If enabled, this setting forces the agent to reconnect to the Wazuh Manager at regular intervals, even if already connected, which can lead to duplication.

If it's enabled, consider disabling it.
You can refer to the Wazuh client configuration documentation for more details.

3. Remove the Existing Agent ID

On the Wazuh Manager, remove the conflicting agent ID (e.g., ID 063) by running the following command:

/var/ossec/bin/manage_agents -r 063

This command removes the agent entry from the manager to clear the conflict.

Restart the Wazuh Agent

On the Windows endpoint, restart the Wazuh agent to trigger re-enrollment:

Restart-Service -Name wazuh

On the Linux endpoint, run the below command to restart:

systemctl restart wazuh-agent

After restarting, the agent should automatically reappear in the Wazuh Manager with a new agent ID, resolving the duplication issue.

Additionally, you might find this GitHub issue helpful, as it describes a similar case and resolution steps.  

Also, you can refer this Wazuh reddit discussion which is similar to your issue.

If the issue still persists and you need further assistance, please share the following files for analysis:

• The Wazuh agent /var/ossec/etc/ossec.conf file

• The shared /var/ossec/etc/shared/agent.conf file (if applicable)

• The Wazuh agent /var/ossec/logs/ossec.log file from the agent that is showing this issue

This information will help in performing a deeper analysis to identify the root cause.