Two Unique agents reporting with the same agent name

[Shaun Ludwig]

Hi All

I have discovered by some luck that I have two seperate agents, both windows workstations, sending alerts but with the same agent name. Any idea how this would have happened? I've registered the agents with IP any and In Wazuh manager I can see "agent_A" and "agent_B" as active but lets say I restart the Wazuh service on both agents (level 3 email alert) I get two emails stating agent_A has been restarted hence both reporting with same name instead of one saying Agent_A has been restarted and then another mail saying Agent_B has been restarted. A bit concerned now about the rest of my 150 windows workstation agents.

Thanks

Shaun

[Juan Pablo Saez]

Hi Shaun, 

We have just discovered a bug causing successive registrations with the "-I any" option overwrite each other.

As a workaround, to have your laptops correctly registered, you should follow the further steps:

• Be sure that <use_source_ip>no</use_source_ip> is set to no in /var/ossec/etc/ossec.conf
• Use agent-auth without any option: /var/ossec/bin/agent-auth -m <manager IP>. If you are registering machines that have exactly the same hostname you have to manually specify an agent name using the -A option: /var/ossec/bin/agent-auth -m <manager IP> -A <hostname>
• This should be enough to correctly register your agents.

About the bug, as soon as our workflow allows us to do so, we're going to fix it. You can track the progress in this issue.

I hope it helps. Please, let me know how it goes.

Best regards, JP Sáez