Duplicate agent name:
Dmitry Mikheev
Stuti Gupta
Dmitry,
The error you are seeing:
2026/02/18 10:15:05 wazuh-agent: ERROR: Duplicate agent name: AppSRV. Unable to add agent (from manager)
means that the Wazuh manager already has an agent registered with the name AppSRV. Even if Windows was reinstalled, and the client.keys file was cleared on the server, but the manager still detects a duplicate agent name during enrollment.
In Wazuh, agent names must be unique. It is not possible to rename an agent after it has been enrolled. The agent name is defined only during the enrollment process. If another agent with the same name already exists in the manager database, enrollment will fail with the duplicate name error.
To resolve this issue, you need to re-enroll the agent using a different name.
You can define the agent name during installation or enrollment using the deployment variable: WAZUH_AGENT_NAME
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/deployment-variables/index.html
For example, during installation on Windows, set the variable so the agent registers with a unique name instead of AppSRV.
Alternatively, you can define the agent name in the ossec.conf file on the Windows agent before starting the service.
Edit: C:\Program Files (x86)\ossec-agent\ossec.conf
Add the following block:
<enrollment>
<agent_name>YOUR_NEW_AGENT_NAME/agent_name>
</enrollment>
Reference:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
After saving the file, start the Wazuh agent service. The agent will request a new key from the manager and register with the new name.
Please note that when you re-enroll the agent with a new name, it will receive a new agent ID and a new key. Any previous association with the old agent entry will not be preserved.
If you still encounter issues, please confirm whether there is still an existing agent entry with the name AppSRV on the manager by running on the manager:
/var/ossec/bin/agent_control -l
If AppSRV is still listed, you can remove it before re-enrollment using:
/var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID>
https://documentation.wazuh.com/current/user-manual/agent/agent-management/remove-agents/remove.html
Then delete the old entry and enroll the agent again with a unique name.
This will ensure the duplicate name conflict is fully resolved.
Dmitry Mikheev
Available agents:
ID: 021, Name: AppSRV, IP: any
Provide the ID of the agent to be removed (or '\q' to quit): 021
Confirm deleting it?(y/n): y
Agent '021' removed.
manage_agents: Exiting.
<client>
<enrollment>
<agent_name>APPSRV2026</agent_name>
</enrollment>
2026/02/19 10:40:54 wazuh-agent: INFO: Waiting for server reply
2026/02/19 10:40:54 wazuh-agent: INFO: Valid key received
2026/02/19 10:40:54 wazuh-agent: INFO: Waiting 20 seconds before server connection
2026/02/19 10:41:14 wazuh-agent: INFO: (1410): Reading authentication keys file.
2026/02/19 10:41:14 wazuh-agent: INFO: Closing connection to server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 wazuh-agent: INFO: Trying to connect to server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 wazuh-agent: INFO: (4102): Connected to the server ([10.0.0.1]:1514/tcp).
2026/02/19 10:41:14 rootcheck: INFO: Starting rootcheck scan.
2026/02/19 10:41:15 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:16 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:16 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/19 10:41:16 sca: INFO: Security Configuration Assessment scan finished. Duration: 62 seconds.
2026/02/19 10:41:16 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:18 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:19 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/19 10:41:19 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/19 10:41:20 rootcheck: INFO: Ending rootcheck scan.
2026/02/19 10:41:35 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/19 10:41:35 wazuh-agent: INFO: FIM sync module started.
2026/02/19 10:41:36 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/19 10:41:52 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
2026/02/19 10:41:52 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
2026/02/19 10:40:54 wazuh-authd: INFO: Agent key generated for 'APPSRV2026' (requested by any)
2026/02/19 10:40:56 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/19 10:40:56 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/19 10:41:53 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:03 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:13 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:23 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:33 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
2026/02/19 10:42:33 wazuh-authd: INFO: Received request for a new agent (APPSRV2026) from: 10.0.0.8
2026/02/19 10:42:33 wazuh-authd: WARNING: Duplicate name 'APPSRV2026', rejecting enrollment. Agent '022' can't be replaced since it is not disconnected.
2026/02/19 10:43:21 wazuh-remoted: WARNING: Agent key already in use: agent ID '022'
Stuti Gupta
Based on the logs, the problem is that the endpoint is still using an old client key, which belongs to agent ID 022.
On the manager, you removed the agent, but the Windows endpoint still has its previous client.keys content. Because of that, the agent continues using the old key, and the manager reports:
Agent key already in use: agent ID '022' Duplicate name 'APPSRV2026', rejecting enrollment. Agent '022' can't be replaced since it is not disconnected.To fully fix the issue, the agent must be removed and reinstalled on the endpoint, not only removed from the manager.
Please do the following on the Windows system:
Uninstall the Wazuh agent completely
Install the agent again
Before starting the service, define the new agent name in ossec.conf:
<enrollment>
<agent_name>APPSRV2026</agent_name>
</enrollment>
or set it via WAZUH_AGENT_NAME during installation.
When the agent is reinstalled, it will generate a new client.key, and the manager will accept it.
If reinstalling does not resolve it, please share:
- Windows version
- Wazuh agent version
- Wazuh manager OS and version
I can then reproduce the issue on my side.
Dmitry Mikheev
The client was stopped and uninstalled.
The folder C:\Program Files (x86)\ossec-agent was deleted.
A new client was installed. It was given a new name. The name has never been used.
<enrollment>
<agent_name>APPServer26</agent_name>
</enrollment>
Client started...
tail -f /var/ossec/logs/ossec.log
2026/02/20 08:38:33 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/20 08:38:33 wazuh-authd: INFO: Agent key generated for 'APPServer26' (requested by any)
2026/02/20 08:38:42 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/20 08:38:42 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/20 08:38:57 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
-------------------------------------------------------------------------------------------------------------------------------^------ ^^^^^^
030 APPServer26 any a65...
^^^^ ^^^^^^^^^^
tail -f /var/ossec/logs/ossec.log
2026/02/20 08:43:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/20 08:43:26 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/20 08:43:26 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced because it is not disconnected.
The server assigned the new agent number 30.
And yet it claims the number already exists.
Dmitry Mikheev
- Windows version Microsoft Windows [Version 10.0.17763.8276]
- Wazuh agent version wazuh-agent-4.14.3-1.msi
- Wazuh manager OS and version Ubuntu 24.04.4 LTS Wazuh v4.14.3
Stuti Gupta
Can you please share all the logs from the agent side and manager side warning and error logs? This type is usually due to overload in the manager. You may see logs of the type:
wazuh-remoted: WARNING: Message queue is full (131072). Events may be lost.
Likewise, you would see a value for "discarded_count" other than 0 in /var/ossec/var/run/wazuh-remoted.state. If this happens, agents might have trouble connecting. They would change their status to "pending" after sending the connection attempt but would not receive a response from the manager, which would end up causing them to try to register again, even if they had a valid password.
Finally, you can adjust the manager parameters related to force enrollment: <auth><force>: auth reference. For example, set
<disconnected_time enabled="no">0</disconnected_time>
So that the manager registers the new agent (and deletes the old one with the same name), avoiding the "Duplicate hostname... rejecting enrollment" log.
Another parameter is <key_mismatch>, if you set it to "no", then the manager will allow agent registrations even though they already have a valid key. I recommend not modifying this parameter, because it could potentially allow massive registrations of agents who have a valid password but simply cannot connect to the manager.
Let me know if this helps.
Dmitry Mikheev
The other three servers are working without errors.
This client's errors started after reinstalling Windows (installing a new version and formatting the disk).
Unfortunately, I only saved ossec.conf from the old one.
tail -f /var/ossec/logs/ossec.log
2026/02/23 08:34:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:12 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:22 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:35:32 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/23 08:35:32 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced since it is not disconnected.
2026/02/23 08:36:22 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:42 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:36:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:37:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '030'
2026/02/23 08:37:02 wazuh-authd: INFO: Received request for a new agent (APPServer26) from: 10.0.0.8
2026/02/23 08:37:02 wazuh-authd: WARNING: Duplicate name 'APPServer26', rejecting enrollment. Agent '030' can't be replaced since it is not disconnected.
cat /var/ossec/var/run/wazuh-remoted.state
# Discarded messages
discarded_count='0'
2026/02/23 08:34:51 wazuh-agent: WARNING: (1218): Unable to send message to 'server': An existing connection was forcibly closed by the remote host.
Because that's how the software was written :(
Parameters and technical variables are all mixed up there.
Stuti Gupta
It seems that no events are being discarded, and the issue is caused by older agent entries still existing on the manager with the same client key or agent name.
Uninstall the Wazuh agent from the Windows system completely using:
msiexec.exe /x wazuh-agent-4.14.3-1.msi /qn
Remove the corresponding agent entry from the Wazuh manager, including any duplicate or previously connected entries:
/var/ossec/bin/manage_agents -r <WAZUH_AGENT_ID>
Restart the Wazuh manager and confirm that no old agent ID remains.
Then, verify on the Windows endpoint that no old Wazuh files or configurations are left.
Reinstall the Wazuh agent on the Windows endpoint with a unique agent name. You can set it directly in the configuration:
<agent_name>APPSRV2026</agent_name>
</enrollment>
or by using the installation variable:
If there is still a connection issue, check the manager database to see if any leftover records exist:
sqlite3 /var/ossec/queue/db/global.db
SELECT id, name, register_ip FROM agent;
Dmitry Mikheev
how to restore???
/var/ossec/bin/manage_agents -l
# sqlite3 /var/ossec/queue/db/global.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> SELECT id, name, register_ip FROM agent;
0|wazuh-srv|127.0.0.1
6|DB|any
8|Update|any
24|tmp1|1.1.1.1
25|tmp2|1.1.1.2
26|tmp3|1.1.1.3
27|tmp4|1.1.1.4
28|tmp5|1.1.1.5
29|tmp6|1.1.1.6
31|tmp7|1.1.1.7
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/SlCrtPHCoyA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1abda69e-536e-409c-b5a8-bb9d695e4f9en%40googlegroups.com.
Dmitry Mikheev
- Removed the agent
- Deleted the directory
- Installed wazuh-agent-4.14.3-1.msi WAZUH_MANAGER="10.0.0.1" WAZUH_AGENT_NAME="AppServ"
Forgot to run it, sorry for the panic )))
Run it...
The problem persists. The dashboard shows the agent is online, but there are no events from the agent!
tail -f /var/ossec/logs/ossec.log
2026/02/24 10:55:45 wazuh-authd: INFO: Received request for a new agent (AppServ) from: 10.0.0.8
2026/02/24 10:55:45 wazuh-authd: INFO: Agent key generated for 'AppServ' (requested by any)
2026/02/24 10:55:53 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/24 10:55:53 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/24 10:56:49 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
2026/02/24 10:56:59 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
...
2026/02/24 11:00:25 wazuh-authd: WARNING: Duplicate name 'AppServ', rejecting enrollment. Agent '032' can't be replaced since it is not disconnected.
# /var/ossec/bin/manage_agents -l | grep AppServ
ID: 004, Name: AppServerRes, IP: any
ID: 032, Name: AppServ, IP: any
# sqlite3 /var/ossec/queue/db/global.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
0|wazuh-srv|127.0.0.1
4|AppServerRes|any
6|DB|any
8|UpdateServer|any
9|AccessServer|any
14|DB2|any
15|HYPERID|any
24|tmp1|1.1.1.1
25|tmp2|1.1.1.2
26|tmp3|1.1.1.3
27|tmp4|1.1.1.4
28|tmp5|1.1.1.5
29|tmp6|1.1.1.6
31|tmp7|1.1.1.7
Stuti Gupta
Dmitry,
Your issue is not caused by duplicate names or leftover keys anymore. The behaviour you see comes from a stale TCP connection on the manager side.
When Windows was reinstalled, the previous Wazuh agent connection did not close cleanly. Windows Server 1809 often shuts down without sending FIN/RST packets, especially during updates. Because of that, the manager still keeps the old TCP connection for that agent ID in an established state.
As long as that stale connection exists in wazuh-remoted memory, the manager will think agent ID 032 is still connected, so Authd will not replace it and will continue to reject the new enrollment with messages like:
Agent key already in use: agent ID '032'
Duplicate name 'AppServ', rejecting enrollment. Agent '032' can't be replaced since it is not disconnected.
Removing the agent with manage_agents does not clear that in-memory connection. The manager needs a full restart to drop the stale state.
Do the following cleanly:
Stop the entire Wazuh manager: systemctl stop wazuh-manager
Then, remove the agent via manager_agents
Edit or remove the specific line for the agent if needed: /var/ossec/etc/client.keys
On the Windows side, remove the agent, and delete the folders
Start the manager again: systemctl start wazuh-manager
Then reinstall the agent and name it uniquely
Start the agent service and allow it to enroll again.
After restarting the manager, the stale TCP connection will be removed, and the manager will accept the new key immediately.
For the future, the recommended practice is to stop the Wazuh agent service on the Windows host before performing a Windows reinstallation, so the TCP connection is closed gracefully before the OS shuts down.
Dmitry Mikheev
on the server
<force>
<enabled>yes</enabled>
<disconnected_time enabled="">0</disconnected_time>
<after_registration_time>0</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
on the client
<enrollment>
<enabled>no</enabled>
</enrollment>
and tried /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_fin_timeout = 15
didn't help
Stuti Gupta
Dmitry,
The changes you tried will not fix this issue. The problem is that the Wazuh manager still thinks the old agent connection is active, even though the Windows machine was reinstalled. Because of this, the manager will not accept the new agent or new key.
The only way to clear that old connection is to restart the Wazuh manager because the stuck connection is stored in memory, not in the database or configuration.
Stop the entire Wazuh manager: systemctl stop wazuh-manager
Then remove the agent using manage_agents.
Edit or remove the specific line for the agent if needed: /var/ossec/etc/client.keys
On the Windows side, remove the agent and delete the folders.
Start the manager again: systemctl start wazuh-manager
Then reinstall the agent and give it a unique name.
Start the agent service and allow it to enroll again.
After the manager restarts, the old connection will be gone, and your agent should enroll correctly.
If the problem still appears after doing this, let me know. I will discuss this with the team again
Dmitry Mikheev
Stopped the service on the client.
Deleted the client.
Stopped wazuh-manager
Cleared /var/ossec/etc/client.keys
Started wazuh-manager
Checked that 32 wasn't present via manage_agents
Here's what's in the logs
2026/02/27 12:12:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-interfaces-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:12:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-networks-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:12:16 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-users-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:12:16 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu24-04.yml'
2026/02/27 12:12:16 sca: INFO: Security Configuration Assessment scan finished. Duration: 6 seconds.
2026/02/27 12:12:16 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-groups-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:12:16 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-browser-extensions-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:12:17 logger-helper: INFO: InventoryHarvesterFacade module started.
2026/02/27 12:12:17 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-services-wazuh-srv', retrying until the connection is successful.
2026/02/27 12:23:27 wazuh-authd: INFO: Agent key generated for 'AppServ20260227' (requested by any)
2026/02/27 12:23:27 wazuh-authd: INFO: Received request for a new agent (AppServ20260227) from: 10.0.0.8
2026/02/27 12:23:34 wazuh-remoted: INFO: (1409): Authentication file changed. Updating.
2026/02/27 12:23:34 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2026/02/27 12:29:09 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
2026/02/27 12:29:19 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
2026/02/27 12:29:29 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
2026/02/27 12:29:39 wazuh-remoted: WARNING: Agent key already in use: agent ID '032'
2026/02/27 13:07:52 wazuh-remoted: WARNING: (1408): Invalid ID 032 for the source ip: '10.0.0.8' (name 'unknown').
2026/02/27 13:08:02 wazuh-remoted: WARNING: (1408): Invalid ID 032 for the source ip: '10.0.0.8' (name 'unknown').
2026/02/27 13:08:12 wazuh-remoted: WARNING: (1408): Invalid ID 032 for the source ip: '10.0.0.8' (name 'unknown').
2026/02/27 13:08:20 rootcheck: INFO: Ending rootcheck scan.
2026/02/27 13:08:22 wazuh-remoted: WARNING: (1408): Invalid ID 032 for the source ip: '10.0.0.8' (name 'unknown').
2026/02/27 13:08:22 wazuh-authd: INFO: Received request for a new agent (AppServ20260227) from: 10.0.0.8
2026/02/27 13:08:22 wazuh-authd: INFO: Agent key generated for 'AppServ20260227' (requested by any)
2026/02/27 13:14:41 wazuh-authd: WARNING: Duplicate name 'AppServ20260227', rejecting enrollment. Agent '033' can't be replaced since it is not disconnected.
2026/02/27 13:15:29 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:15:39 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:15:49 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:15:59 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:16:09 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:16:09 wazuh-authd: INFO: Received request for a new agent (AppServ20260227) from: 10.0.0.8
2026/02/27 13:16:09 wazuh-authd: WARNING: Duplicate name 'AppServ20260227', rejecting enrollment. Agent '033' can't be replaced since it is not disconnected.
2026/02/27 13:22:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '033'
2026/02/27 13:22:02 wazuh-authd: INFO: Received request for a new agent (AppServ20260227) from: 10.0.0.8
2026/02/27 13:22:02 wazuh-authd: WARNING: Duplicate name 'AppServ20260227', rejecting enrollment. Agent '033' can't be replaced since it is not disconnected.
# /var/ossec/bin/manage_agents -l
ID: 009, Name: AccessServer, IP: any
ID: 014, Name: DB2, IP: any
ID: 008, Name: UpdateServer, IP: any
ID: 004, Name: AppServerRes, IP: any
ID: 006, Name: DB, IP: any
ID: 028, Name: tmp5, IP: 1.1.1.5
ID: 029, Name: tmp6, IP: 1.1.1.6
ID: 024, Name: tmp1, IP: 1.1.1.1
ID: 025, Name: tmp2, IP: 1.1.1.2
ID: 026, Name: tmp3, IP: 1.1.1.3
ID: 027, Name: tmp4, IP: 1.1.1.4
ID: 031, Name: tmp7, IP: 1.1.1.7
ID: 033, Name: AppServ20260227, IP: any
ID: 034, Name: tmp8, IP: 1.1.1.8
#cat /var/ossec/etc/client.keys
...
034 tmp8 1.1.1.8 KEY
# sqlite3 /var/ossec/queue/db/global.db
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> SELECT id, name, register_ip FROM agent;
0|wazuh-srv|127.0.0.1
4|AppServerRes|any
6|DB|any
8|UpdateServer|any
9|AccessServer|any
14|DB2|any
15|HYPERID|any
24|tmp1|1.1.1.1
25|tmp2|1.1.1.2
26|tmp3|1.1.1.3
27|tmp4|1.1.1.4
28|tmp5|1.1.1.5
29|tmp6|1.1.1.6
31|tmp7|1.1.1.7
34|tmp8|1.1.1.8
Stuti Gupta
Please allow me some time. I'm discussing this issue with the teammate. They are looking into this.
Thank you!
Stuti Gupta
Based on the latest logs, the manager is still seeing the agent session as active even after the agent is reinstalled and the keys are recreated. Since restarting the manager and cleaning client.keys did not resolve it, this looks less like a registration-state problem and more like a network-level connection issue.
The most likely scenario is that the agent detects a disconnect, but the manager-side session is not being closed properly, so wazuh-remoted still considers that the agent is connected. Once that happens, reconnection and re-enrollment are rejected because the existing session/key is still marked as in use.
At this point, we recommend testing connectivity in a simpler network path to confirm whether an intermediate device is keeping the session half-open:
Try connecting the same agent to a different Wazuh manager if available.
Or deploy a temporary test manager/server on the same local network segment as the Windows host.
If possible, bypass as many routers, firewalls, NAT devices, or load balancers as possible.
If the problem disappears in that setup, it would strongly suggest that an intermediate network device is preserving or mishandling the TCP session.