Sustain agent ID / key when reinstalling host
971 views
Skip to first unread message
Robert A
Aug 31, 2022, 5:19:34 AM8/31/22
to Wazuh mailing list
Hello,
I'd like to ask you about best practice to hold same agent ID and key when doing OS upgrade by full reinstall (not upgrade).
During OS reinstall, agent is disconnected and after reinstall it is of course registered but under new ID. I would like the agent to stay under the same ID as earlier - before OS reinstall.
I was thinking about disabling force insertion (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#force) of agent when hostname/IP is duplicated and commenting client.keys on wazuh server for the reinstall time. Next, after reinstall manually adding proper key to agent client.keys file.
But above method seems a little inelegant. Is there a better (proper) way to do it?
Regards,
Robert
antonio....@wazuh.com
Aug 31, 2022, 6:16:19 AM8/31/22
to Wazuh mailing list
Hello Robert.
When the agent is updated, the agentID and the key should not be changed.
I have been testing it on my environment and both the key and the agent ID remained the same. I recommend you to take a look at the upgrade guide to follow the right steps. You can find it here
root@ubuntuagent:/home/vagrant# WAZUH_MANAGER="10.2.0.4" apt-get install wazuh-agent=4.0.0-1
......
root@ubuntuagent:/home/vagrant# /var/ossec/bin/ossec-control status
wazuh-modulesd not running...
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-agentd not running...
ossec-execd not running...
root@ubuntuagent:/home/vagrant# cat /var/ossec/etc/client.keys
004 ubuntuagent any 68b26925882ed905632025fdf4dd8e5b223ae9044f482882164b40934b4440c4
after updating
root@ubuntuagent:/home/vagrant# apt upgrade wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
wazuh-agent is already the newest version (4.3.7-1).
Calculating upgrade... Done
The following packages have been kept back:
thermald ubuntu-advantage-tools
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
root@ubuntuagent:/home/vagrant# cat /var/ossec/etc/client.keys
004 ubuntuagent any 68b26925882ed905632025fdf4dd8e5b223ae9044f482882164b40934b4440c4
root@ubuntuagent:/home/vagrant#
As you can see, the key and the ID remained the same.
Robert A
Aug 31, 2022, 6:24:11 AM8/31/22
to Wazuh mailing list
Hey Antonio, I was referring to complete reinstall of OS on host where agent is installed. I'm shutting down the host are reinstalling whole OS and installing agent from scratch - not upgrading only agent.
Robert A
Sep 1, 2022, 7:20:40 AM9/1/22
to Wazuh mailing list
Hey again, I was able to do what I wanted manually.
First, you have to add proper config to wazuh servers ossec.conf in <auth> section to force to not remove the agent after specific period of time being disconnected:
<force>
<enabled>no</enabled>
<disconnected_time enabled="no">15m</disconnected_time>
<after_registration_time>15m</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
<enabled>no</enabled>
<disconnected_time enabled="no">15m</disconnected_time>
<after_registration_time>15m</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
Second, after installing wazuh agent - but before starting it - you have to export old agent key on wazuh server with: /var/ossec/bin/manage_agents
Next, you have to import the key to the wazuh agent, so on the host where the agent is installed you run: /var/ossec/bin/manage_agents -i {THE_KEY_YOU_EXPORTED}
And after that wazuh agent can be started and will connect properly with old ID.
Regardless of the solution above, I'd like to sustain my question: Is there any simpler, maybe built-in already option to deploy and rejoin wazuh-agent under the same ID after full OS reinstall?
Marcel Kemp
Sep 2, 2022, 5:09:59 AM9/2/22
to Wazuh mailing list
Hi Robert,
If it is an agent installed from 0 that connects to a manager without a key, the main mechanism is designed to register it and give it a new key, so in principle it would not be possible.
However, manually following the key import procedure, as you have seen, it is possible.
There is also a capability called "Agent key polling" that you might be able to use in this case, although you would need to configure it.
However, manually following the key import procedure, as you have seen, it is possible.
There is also a capability called "Agent key polling" that you might be able to use in this case, although you would need to configure it.
I share with you the link to the documentation so that you can evaluate if it is useful for you:
Note that Authd gives you the option to choose with the force option, whether to register the agent again when it comes with a duplicate name or IP, or on the contrary, not to allow it to register, but never overwrite the agent: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#force
I hope you find this useful, and if you have any questions, don't hesitate to ask.
Robert A
Sep 6, 2022, 5:08:15 AM9/6/22
to Wazuh mailing list
Hey Marcel,
Thanks for showing some alternatives, but I'd like to understand the key polling more.
So to be able to use agent-key-polling I would need new, external (not on the same system as wazuh manager) instance of db? And how do I feed this db with agents info - I need to move the agents info from "/var/ossec/queue/db" to this db or create some sort of integration between this db and wazuh manager?
Regards,
Robert
Marcel Kemp
Sep 7, 2022, 6:35:21 AM9/7/22
to Wazuh mailing list
Hi again Robert,
Once Wazuh is configured and the DB contains the agent information, you will be able to enjoy agent-key-polling mechanism.
Any doubt or thing you don't understand, just ask.
Firstly, you need to set up an external database in which you have a table (in the script named 'agent') with the fields 'id', 'name', 'ip' and 'agent_key'.
Once you have created the DB, you just need to copy one of the scripts and configure it to first connect to the created DB and then, in the Wazuh configuration, specify the 'agent-key-polling' block. So that through the script, Wazuh has access to the DB data and can obtain the agent's information.
Then, to feed the DB with the agent information, you simply need to insert the information contained in the '/var/ossec/etc/client.keys' file used for agent registration (where the agent's id, name, ip and agent_key are stored in order).
- It doesn't matter if the database is on the same system as Wazuh, or on a different system. You just need the machine that has Wazuh installed to have access to the DB.
Once you have created the DB, you just need to copy one of the scripts and configure it to first connect to the created DB and then, in the Wazuh configuration, specify the 'agent-key-polling' block. So that through the script, Wazuh has access to the DB data and can obtain the agent's information.
- Next, I share the configuration to set up 'agent-key-polling' in Wazuh: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-agent-key-polling.html?#example-of-configuration
Then, to feed the DB with the agent information, you simply need to insert the information contained in the '/var/ossec/etc/client.keys' file used for agent registration (where the agent's id, name, ip and agent_key are stored in order).
- For example, you can first register an agent to the manager. Once the agent information is stored in the client.keys, you can insert it into the external DB. And from this point on, if you remove the agent from the manager, but it tries to reconnect, then it will first request the information from the DB and if it is returned correctly, then it will auto-register with the same information to the agent.
Once Wazuh is configured and the DB contains the agent information, you will be able to enjoy agent-key-polling mechanism.
Any doubt or thing you don't understand, just ask.
Robert A
Sep 9, 2022, 7:45:50 AM9/9/22
to Wazuh mailing list
Hi,
thank you for this, now all is fully understandable. Definitely will use the agent-key-polling feature in the near future.
Cheers!
thank you for this, now all is fully understandable. Definitely will use the agent-key-polling feature in the near future.
Cheers!
Reply all
Reply to author
Forward
0 new messages