Wazuh 3.12 Authetication error, Wrong key or corrupt payload.

Luke Lee

unread,

Jun 26, 2020, 12:16:47 AM6/26/20

to Wazuh mailing list

Hi all, I have upgraded from 3.7 to 3.12 but I notice there is this error showing up and all my agents are not connected.

Below is the screen of my Wazuh:

from ossec.log I have gotten these errors:

2020/06/26 12:13:22 ossec-remoted[22938] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '004' at 'xx.xx.xx.xx'.

2020/06/26 12:13:22 ossec-remoted[22938] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '122' at 'any'.

2020/06/26 12:13:22 ossec-remoted[22938] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '092' at ' xx.xx.xx.xx '.

jeremias...@wazuh.com

unread,

Jun 26, 2020, 1:38:57 AM6/26/20

to Wazuh mailing list

Hi Skyluke,

These error logs occure when a client communicates with the manager and the manager recognizes the IP or ID as one of the registered agents but is unable to decrypt the message. Of course, this lead to the connection problem that your agents are experiencing.

Have you upgraded both, manager and agents? Which version have each of them now?

Can you check <crypto_method> defined on /var/ossec/etc/ossec.conf?

Regards.

Luke Lee

unread,

Jun 26, 2020, 3:14:04 AM6/26/20

to Wazuh mailing list

Hi yes both are running the new clients. Just to check with you I do the following command from server to my clients, the firewall is ok, but from client to server was not open, is it ok ?

nc -z -v -u ip 5910 (Kibana)

nc -z -v -u ip 55000 (ES)

Luke Lee

unread,

Jun 26, 2020, 3:23:33 AM6/26/20

to Wazuh mailing list

Hi my crypto method is "aes", but I did not change anything for that.

On Friday, June 26, 2020 at 1:38:57 PM UTC+8 jeremias...@wazuh.com wrote:

jeremias...@wazuh.com

unread,

Jun 26, 2020, 10:47:37 AM6/26/20

to Wazuh mailing list

Hi Skyluke,

I asked for crypto method in case manager and agent had different versions and any of them wasn't able to handle the crypto method; but this is not the case.

It seems that Wazuh Manager isn't finding the correct key to decrypt.

To confirm keys are ok: Can we check the content of /var/ossec/etc/client/keys on one of the Agents with connection lost, and compare it with same entry on same file on the Manager?
Also, can you try to re-register one of the Agents to check if communication returns? (https://documentation.wazuh.com/3.12/user-manual/registering/index.html)

I don't think this is a network problem, because Manager is receiving agents packages and you started experiencing this issue right after the upgrade, but if even re-registerig the agent doesn't work, we can try to open the firewall and we can try changing communication protocol to TCP on both agent and manager. To do this, you have to modify <protocol>udp</protocol> to <protocol>tcp</protocol> on /var/ossec/etc/ossec.conf (On both, agent and manager; if agent is Windows default file path is C:\Program Files (x86)\ossec-agent\ossec.conf)

Please let me know how this works.

Regards

Luke Lee

unread,

Jun 28, 2020, 11:16:55 PM6/28/20

to Wazuh mailing list

hi I notice that there are few laptops were able to connect when they are in our network, but all the servers are not able to connect.

How can i trace here ?

Luke Lee

unread,

Jun 28, 2020, 11:37:41 PM6/28/20

to Wazuh mailing list

For changing from UDP to TCP, I think the connection was fine, I am able to test the UDP connection of those ports too.

So I guess that wasn't the issue?

jeremias...@wazuh.com

unread,

Jun 29, 2020, 2:42:12 PM6/29/20

to Wazuh mailing list

Hi skyluke.
These laptops were able to connect after any of the steps that we were testing?
The servers that are still unable to connect: Has the same log "Authentication error, Wrong key or corrupt payload" that we were investiganting?

The intention of changing from UDP to TCP is to guarantee that there are no network issues during the communication of the message:
As you may know, Agents and Managers communicates each other using encrypted messages, "Authentication error, Wrong key or corrupt payload" means that the encrypted message wans't able to be decrypted, and this can occure because a wrong key is used to decrypt the message (that´s the reason of trying re-registering the agent) or because the content of the message got corrupted.

On the other hand: How the test of re-registering an agent and checking the client.keys file goes?

Regards.

Luke Lee

unread,

Jul 6, 2020, 4:34:03 AM7/6/20

to Wazuh mailing list

Hi, thanks for your reply.

I have tried changing one agent from UDP to TCP as well as the server. But seems like my wazuh-agent having error starting it.

Jeremías Palacios

unread,

Jul 6, 2020, 11:00:13 AM7/6/20

to Wazuh mailing list

Hi Luke,

Can you share me the logs from /var/ossec/logs/ossec.log and configuration file /var/ossec/etc/ossec.conf as you edited it (of the failing agent)?

Probably, the configuration file is not correct.

Regards,

Luke Lee

unread,

Jul 7, 2020, 3:08:01 AM7/7/20

to Wazuh mailing list

Ossec.conf (Server)

<ossec_config>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall_json>no</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>oss...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

</global>

<address>server_IP</address>

</server>

<config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile>

<notify_time>10</notify_time>

<time-reconnect>60</time-reconnect>

<auto_restart>yes</auto_restart>

<crypto_method>aes</crypto_method>

</client>

<log_alert_level>3</log_alert_level>

<email_alert_level>12</email_alert_level>

</alerts>

<log_format>plain</log_format>

</logging>

<connection>secure</connection>

<queue_size>131072</queue_size>

</remote>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

<profile>xccdf_org.ssgproject.content_profile_common</profile>

</content>

</wodle>

<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>

<ciscat_path>wodles/ciscat</ciscat_path>

</wodle>

<run_daemon>yes</run_daemon>

<log_path>/var/log/osquery/osqueryd.results.log</log_path>

<config_path>/etc/osquery/osquery.conf</config_path>

<add_labels>yes</add_labels>

</wodle>

<scan_on_start>yes</scan_on_start>

</wodle>

<sca>

<scan_on_start>yes</scan_on_start>

<skip_nfs>yes</skip_nfs>

</sca>

<vulnerability-detector>

<ignore_time>6h</ignore_time>

<run_on_start>yes</run_on_start>

<os>trusty</os>

<os>xenial</os>

<os>bionic</os>

<update_interval>1h</update_interval>

</provider>

<os>wheezy</os>

<os>stretch</os>

<os>jessie</os>

<os>buster</os>

<update_interval>1h</update_interval>

</provider>

<!-- <update_from_year>2010</update_from_year>

<update_interval>1h</update_interval>-->

</provider>

<update_from_year>2010</update_from_year>

<update_interval>1h</update_interval>

</provider>

</vulnerability-detector>

<scan_on_start>yes</scan_on_start>

<alert_new_files>yes</alert_new_files>

<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<process_priority>10</process_priority>

<max_eps>100</max_eps>

<max_interval>1h</max_interval>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

<white_list>ip</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>ip</white_list>

</global>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null</name>

<executable>route-null.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null-2012</name>

<executable>route-null-2012.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh</name>

<executable>netsh.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh-win-2016</name>

<executable>netsh-win-2016.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<!--

<active-response>

active-response options here

</active-response>

-->

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<list>etc/lists/amazon/aws-eventnames</list>

<list>etc/lists/security-eventchannel</list>

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

</ruleset>

<auth>

<use_source_ip>no</use_source_ip>

<force_insert>yes</force_insert>

<force_time>0</force_time>

<use_password>no</use_password>

<limit_maxagents>yes</limit_maxagents>

<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>

<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>

<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>

<ssl_auto_negotiate>no</ssl_auto_negotiate>

</auth>

<name>wazuh</name>

<node_name>node01</node_name>

<node_type>master</node_type>

<bind_addr>0.0.0.0</bind_addr>

<nodes>

</nodes>

</cluster>

</ossec_config>

<ossec_config>

<log_format>apache</log_format>

<location>/var/log/nginx/access.log</location>

</localfile>

<log_format>apache</log_format>

<location>/var/log/nginx/error.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/syslog</location>

</localfile>

<log_format>syslog</log_format>

</localfile>

<log_format>syslog</log_format>

</localfile>

</ossec_config>

Luke Lee

unread,

Jul 7, 2020, 3:34:51 AM7/7/20

to Wazuh mailing list

This is the Agent ossec.conf:

<!--

Wazuh - Agent - Default configuration for centos 6.10

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

<address>server_IP</address>

</server>

<config-profile>centos, centos6, centos6.10</config-profile>

<notify_time>60</notify_time>

<time-reconnect>60</time-reconnect>

<auto_restart>yes</auto_restart>

<crypto_method>aes</crypto_method>

</client>

<client_buffer>

<queue_size>5000</queue_size>

<events_per_second>500</events_per_second>

</client_buffer>

<check_unixaudit>yes</check_unixaudit>

<check_files>yes</check_files>

<check_trojans>yes</check_trojans>

<check_dev>yes</check_dev>

<check_sys>yes</check_sys>

<check_pids>yes</check_pids>

<check_ports>yes</check_ports>

<check_if>yes</check_if>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>

<skip_nfs>yes</skip_nfs>

</rootcheck>

<scan-on-start>yes</scan-on-start>

<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>

<profile>xccdf_org.ssgproject.content_profile_server</profile>

</content>

<scan_on_start>yes</scan_on_start>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<ignore>/sys/kernel/security</ignore>

<ignore>/sys/kernel/debug</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<restart_audit>yes</restart_audit>

</syscheck>

<log_format>command</log_format>

</localfile>

<log_format>full_command</log_format>

<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/:\1/' | sed 1,2d</command>

<alias>netstat listening ports</alias>

</localfile>

<log_format>full_command</log_format>

</localfile>

<active-response>

<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>

<ca_verification>yes</ca_verification>

</active-response>

<log_format>plain</log_format>

</logging>

</ossec_config>

<ossec_config>

<log_format>audit</log_format>

<location>/var/log/audit/audit.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/ossec/logs/active-responses.log</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

</ossec_config>

Jeremías Palacios

unread,

Jul 7, 2020, 10:17:38 PM7/7/20

to Wazuh mailing list

Hi Luke,

Can you share me the Wazuh logs to establish which is the cause of the agent not starting?
From the provided configs I have some observations:

Selected protocol is UDP, not TCP (<protocol>udp</protocol>).
Server config has a <client> section that don't belong to the server configs, is this part of the changes? Server protocol is defined on <remote> section.
<address> is defined as server_IP, is this correct?

Regards.

Luke Lee

unread,

Jul 19, 2020, 11:39:27 PM7/19/20

to Wazuh mailing list

Hi problem resolved. After I reenter the keys on agent then it works. Thank you

Jeremías Palacios

unread,

Jul 20, 2020, 11:23:25 AM7/20/20

to Wazuh mailing list

Glad to hear it's working!
The configuration errors are solved too?

If you have further questions don't hesitate to ask.

Reply all

Reply to author

Forward