Duplicate agent name:
Dmitry Mikheev
Stuti Gupta
Dmitry,
The error you are seeing:
2026/02/18 10:15:05 wazuh-agent: ERROR: Duplicate agent name: AppSRV. Unable to add agent (from manager)
means that the Wazuh manager already has an agent registered with the name AppSRV. Even if Windows was reinstalled, and the client.keys file was cleared on the server, but the manager still detects a duplicate agent name during enrollment.
In Wazuh, agent names must be unique. It is not possible to rename an agent after it has been enrolled. The agent name is defined only during the enrollment process. If another agent with the same name already exists in the manager database, enrollment will fail with the duplicate name error.
To resolve this issue, you need to re-enroll the agent using a different name.
You can define the agent name during installation or enrollment using the deployment variable: WAZUH_AGENT_NAME
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/deployment-variables/index.html
For example, during installation on Windows, set the variable so the agent registers with a unique name instead of AppSRV.
Alternatively, you can define the agent name in the ossec.conf file on the Windows agent before starting the service.
Edit: C:\Program Files (x86)\ossec-agent\ossec.conf
Add the following block:
<enrollment>
<agent_name>YOUR_NEW_AGENT_NAME/agent_name>
</enrollment>
Reference:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
After saving the file, start the Wazuh agent service. The agent will request a new key from the manager and register with the new name.
Please note that when you re-enroll the agent with a new name, it will receive a new agent ID and a new key. Any previous association with the old agent entry will not be preserved.
If you still encounter issues, please confirm whether there is still an existing agent entry with the name AppSRV on the manager by running on the manager:
/var/ossec/bin/agent_control -l
If AppSRV is still listed, you can remove it before re-enrollment using:
/var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID>
https://documentation.wazuh.com/current/user-manual/agent/agent-management/remove-agents/remove.html
Then delete the old entry and enroll the agent again with a unique name.
This will ensure the duplicate name conflict is fully resolved.
Dmitry Mikheev
Available agents:
ID: 021, Name: AppSRV, IP: any
Provide the ID of the agent to be removed (or '\q' to quit): 021
Confirm deleting it?(y/n): y
Agent '021' removed.
manage_agents: Exiting.
<client>
<enrollment>
<agent_name>APPSRV2026</agent_name>
</enrollment>
2026/02/19 10:40:54 wazuh-agent: INFO: Waiting for server reply
2026/02/19 10:40:54 wazuh-agent: INFO: Valid key received
2026/02/19 10:40:54 wazuh-agent: INFO: Waiting 20 seconds before server connection
2026/02/19 10:41:14 wazuh-agent: INFO: (1410): Reading authentication keys file.
2026/02/19 10:41:14 wazuh-agent: INFO: Closing connection to server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 wazuh-agent: INFO: Trying to connect to server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 wazuh-agent: INFO: (4102): Connected to the server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 rootcheck: INFO: Starting rootcheck scan.
2026/02/19 10:41:15 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:16 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:16 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/19 10:41:16 sca: INFO: Security Configuration Assessment scan finished. Duration: 62 seconds.
2026/02/19 10:41:16 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:18 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:19 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:19 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/19 10:41:20 rootcheck: INFO: Ending rootcheck scan.
2026/02/19 10:41:35 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/19 10:41:35 wazuh-agent: INFO: FIM sync module started.
2026/02/19 10:41:36 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/19 10:41:52 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
2026/02/19 10:41:52 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
2026/02/19 10:40:54 wazuh-authd: INFO: Agent key generated for 'APPSRV2026' (requested by any)
2026/02/19 10:40:56 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/19 10:40:56 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/19 10:41:53 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:03 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:13 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:23 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:33 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:33 wazuh-authd: INFO: Received request for a new agent (APPSRV2026) from: 10.0.0.8
2026/02/19 10:42:33 wazuh-authd: WARNING: Duplicate name 'APPSRV2026', rejecting enrollment. Agent '022' can't be replaced since it is not disconnected.
2026/02/19 10:43:21 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
Stuti Gupta
Based on the logs, the problem is that the endpoint is still using an old client key, which belongs to agent ID 022.
On the manager, you removed the agent, but the Windows endpoint still has its previous client.keys content. Because of that, the agent continues using the old key, and the manager reports:
Agent key already in use: agent ID '022' Duplicate name 'APPSRV2026', rejecting enrollment. Agent '022' can't be replaced since it is not disconnected.To fully fix the issue, the agent must be removed and reinstalled on the endpoint, not only removed from the manager.
Please do the following on the Windows system:
Uninstall the Wazuh agent completely
Install the agent again
Before starting the service, define the new agent name in ossec.conf:
<enrollment>
<agent_name>APPSRV2026</agent_name>
</enrollment>
or set it via WAZUH_AGENT_NAME during installation.
When the agent is reinstalled, it will generate a new client.key, and the manager will accept it.
If reinstalling does not resolve it, please share:
- Windows version
- Wazuh agent version
- Wazuh manager OS and version
I can then reproduce the issue on my side.
Dmitry Mikheev
The client was stopped and uninstalled.
The folder C:\Program Files (x86)\ossec-agent was deleted.
A new client was installed. It was given a new name. The name has never been used.
<enrollment>
<agent_name>APPServer26</agent_name>
</enrollment>
Client started...
tail -f /var/ossec/logs/ossec.log
2026/02/20 08:38:33 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/20 08:38:33 wazuh-authd: INFO: Agent key generated for 'APPServer26' (requested by any)
2026/02/20 08:38:42 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/20 08:38:42 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/20 08:38:57 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
-------------------------------------------------------------------------------------------------------------------------------^------ ^^^^^^
030 APPServer26 any a65...
^^^^ ^^^^^^^^^^
tail -f /var/ossec/logs/ossec.log
2026/02/20 08:43:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/20 08:43:26 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/20 08:43:26 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced because it is not disconnected.
The server assigned the new agent number 30.
And yet it claims the number already exists.
Dmitry Mikheev
- Windows version Microsoft Windows [Version 10.0.17763.8276]
- Wazuh agent version wazuh-agent-4.14.3-1.msi
- Wazuh manager OS and version Ubuntu 24.04.4 LTS Wazuh v4.14.3
Stuti Gupta
Can you please share all the logs from the agent side and manager side warning and error logs? This type is usually due to overload in the manager. You may see logs of the type:
wazuh-remoted: WARNING: Message queue is full (131072). Events may be lost.
Likewise, you would see a value for "discarded_count" other than 0 in /var/ossec/var/run/wazuh-remoted.state. If this happens, agents might have trouble connecting. They would change their status to "pending" after sending the connection attempt but would not receive a response from the manager, which would end up causing them to try to register again, even if they had a valid password.
Finally, you can adjust the manager parameters related to force enrollment: <auth><force>: auth reference. For example, set
<disconnected_time enabled="no">0</disconnected_time>
So that the manager registers the new agent (and deletes the old one with the same name), avoiding the "Duplicate hostname... rejecting enrollment" log.
Another parameter is <key_mismatch>, if you set it to "no", then the manager will allow agent registrations even though they already have a valid key. I recommend not modifying this parameter, because it could potentially allow massive registrations of agents who have a valid password but simply cannot connect to the manager.
Let me know if this helps.
Dmitry Mikheev
The other three servers are working without errors.
This client's errors started after reinstalling Windows (installing a new version and formatting the disk).
Unfortunately, I only saved ossec.conf from the old one.
tail -f /var/ossec/logs/ossec.log
2026/02/23 08:34:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:12 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:22 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:32 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/23 08:35:32 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced since it is not disconnected.
2026/02/23 08:36:22 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:42 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:37:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:37:02 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/23 08:37:02 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced since it is not disconnected.
cat /var/ossec/var/run/wazuh-remoted.state
# Discarded messages
discarded_count='0'
2026/02/23 08:34:51 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
Because that's how the software was written :(
Parameters and technical variables are all mixed up there.
Stuti Gupta
It seems that no events are being discarded, and the issue is caused by older agent entries still existing on the manager with the same client key or agent name.
Uninstall the Wazuh agent from the Windows system completely using:
msiexec.exe /x wazuh-agent-4.14.3-1.msi /qn
Remove the corresponding agent entry from the Wazuh manager, including any duplicate or previously connected entries:
/var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID>
Restart the Wazuh manager and confirm that no old agent ID remains.
Then, verify on the Windows endpoint that no old Wazuh files or configurations are left.
Reinstall the Wazuh agent on the Windows endpoint with a unique agent name. You can set it directly in the configuration:
<agent_name>APPSRV2026</agent_name>
</enrollment>
or by using the installation variable:
If there is still a connection issue, check the manager database to see if any leftover records exist:
sqlite3 /var/ossec/queue/db/global.db
SELECT id, name, register_ip FROM agent;
Dmitry Mikheev
how to restore???
/var/ossec/bin/manage_agents -l
# sqlite3 /var/ossec/queue/db/global.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> SELECT id, name, register_ip FROM agent;
0|wazuh-srv|127.0.0.1
6|DB|any
8|Update|any
24|tmp1|1.1.1.1
25|tmp2|1.1.1.2
26|tmp3|1.1.1.3
27|tmp4|1.1.1.4
28|tmp5|1.1.1.5
29|tmp6|1.1.1.6
31|tmp7|1.1.1.7
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/SlCrtPHCoyA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1abda69e-536e-409c-b5a8-bb9d695e4f9en%40googlegroups.com.