Wazuh agent installation removes manager and API

[Mehran Arya]

Just started installation following the documentation. After installing wazuh manager and API whenever try to install agent on same host agent will remove manager and API while installing and vise reversa(if agent installed and try to install manager and API, agent will be removed while installing either of those two).
Is this because I suppose to install agent on different machine? What am I missing here?

[M3]

Just started installation following the documentation. After installing wazuh manager and API whenever try to install agent on same host agent will remove manager and API while installing and vise reversa(if agent installed and try to install manager and API, agent will be removed while installing either of those two).
Is this because I suppose to install agent on different machine? What am I missing here?

sudo apt-get install wazuh-agent
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following packages will be REMOVED:
  wazuh-api wazuh-manager
The following NEW packages will be installed:
  wazuh-agent
 

[Jose Miguel Mallorquin]

Hello Mehran,

we are happy you started to use Wazuh.

Let me give you an answer.

The Wazuh Agent component is used to collect different types of system and application data that it forwards to the Wazuh Manager through an encrypted and authenticated channel. Different Agent tasks or processes are used to monitor the system in different ways (e.g., monitoring file integrity, reading system log messages, scanning system configurations, etc.).

The Wazuh Manager component is in charge of analyzing the data received from the Wazuh Agents and triggering alerts when an event matches a rule (e.g. intrusion detected, file changed, a configuration not compliant with policy, possible rootkit, etc…). It is also in charge of Agent registration and RESTful API (Wazuh API).

And, finally, the Manager also runs Agent components with the purpose of monitoring itself. It reads its own logs and parse the information to generate alerts that will be labeled with the agent.id: 000. Then, the registered Agents start at agent.id: 001 consecutively.

Then, it is not necessary to install the Wazuh Agent component on the machine where Manager and API are already installed. In fact, you are advised every time you try to install the Agent when the Manager is installed and vice versa.

I hope this helps you.

Don't hesitate to ask as many questions as you need.

Best regards,

Jose M.

[M3]

Make sense but last words are confusing!
You said installing agent when manager is installed while I can't install these two on same machine, because one will remove another one!
Can I install agent with manager and API on a same machine?

[Jose Miguel Mallorquin]

Hello,

I'm sorry for those confusing words. In conclusion: Agent cannot be installed on the same machine where Manager and API are installed. Each one will force to remove the other one.

Best regards,

Jose M.

[M3]

Thanks. Does that mean in a network of hundreds systems I have to install agent on all systems except the system that is monitoring?

[Jose Miguel Mallorquin]

Hello,

yes, the Wazuh Manager fulfills all the functions of a Wazuh Agent. So, the Agent is installed on all systems to be monitored except the Manager system (the server in charge of analyzing the data received from the Agents and network devices, apart from analyzing itself).

The Wazuh Agent component can be installed on physical servers, virtual machines and cloud instances (e.g. Amazon AWS, Azure or Google Cloud). Pre-compiled Agent installation packages are available for Linux, HP-UX, AIX, Solaris, Windows, and Darwin (Mac OS X). And, we can also monitor agentless devices, such as switches, routers, firewalls, etc. where software cannot be installed. You might be interested in Agentless monitoring and Remote syslog collection capabilities.

I hope this helps.

Best regards,

Jose M.

[M3]

Make sense. I’m currently running manager on a vm an agent on the host but noticed that got disconnected from agent after shutting down the host obviously but now then turned back both(manager&host) on still manager shows that agent is disconnected however it’s running(checked by getting the status) so question is when an agent goes down and gets disconnected from manager(manager was down too since ran on a vm) for any reason but later agent gets back live why manager is not getting connected?

[Jose Miguel Mallorquin]

Hello M3,

we can use the following tool on the Manager side to check the real-time status of every registered Agent:

/var/ossec/bin/agent_control -l

(To show the available options, use -h or --help.)

The desired status of the Agent is Active.

Otherwise, please, check the /var/ossec/logs/ossec.log log file both on Manager and Agent machines to know what is happening.

You can also check the connectivity between the host (Wazuh Agent) and VM (Wazuh Manager):

  - Registration port: 1515/TCP (from Agent to Manager, unidirectional)

  - Reporting port: 1514/UDP (from Agent to Manager, unidirectional). We can also use TCP instead of UDP, on both ends ossec.conf configuration file.

I hope it helps.

Best regards,

Jose M. 

[M3]

seems because host and agent were shutdown but agent wasn't able to connected to manager after started later.

So I tried to uninstall agent then install it but now it won't start at all and getting "ossec-agentd: CRITICAL: (1751): File client.keys not found or empty" error in log.

How to fix it and reconnect agent to host?

[Jose Miguel Mallorquin]

Hi M3,

The client.keys file stores the data used to authenticate secure Agents. The Agent will fail to work if it has never been connected to a Manager properly, giving the error you mention.

Please, verify the Agent can reach the Manager through the port 1515/TCP to be registered:

telnet <your_manager_IP> 1515

The result must be like the following example:

[root@16-elastic7-3 ~]# telnet 11.0.0.9 1515
Trying 11.0.0.9...
Connected to 11.0.0.9.
Escape character is '^]'.

If it is correct, register the Agent again. There are several available Registration methods.

For example, the simple method is performed as below on Linux Agents:

1. Run the agent-auth binary tool with the option -m and your Manager IP address:

/var/ossec/bin/agent-auth -m <MANAGER_IP_ADDRESS>

2. Open the /var/ossec/etc/ossec.conf file and replace MANAGER_IP with your Manager IP address:
<client>
  <server>
    <address>MANAGER_IP</address>
    ...
  </server>
</client>

3. Restart the wazuh-agent service:
/var/ossec/bin/ossec-control restart

If the process is correct, the /var/ossec/etc/client.keys file is automatically created, the Agent is now registered and it can start as expected.

On the Manager side, you can check the status of the Agents by using the agent_control tool. You will obtain a result like the example below:
/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-manager-3-10-2-ip9 (server), IP: 127.0.0.1, Active/Local
   ID: 003, Name: wazuh-agent-14, IP: 11.0.0.14, Disconnected
   ID: 004, Name: elastic, IP: 11.0.0.16, Active

The possible status are: Disconnected, Pending, Never connected and Active.

I hope this helps.

Best regards,
Jose M.