Change wazuh agent name

[Igor Cantarelli]

Hi! I would like to know how do I change the name of an agent (who are already registered and connected). I tried to perform the procedures mentioned in the conversation https://groups.google.com/g/wazuh/c/hgPM0dlVr7I , but without success

[Lucio Donda]

Hi Igor!
That message you posted is an old one (old wazuh versions, now we have other authentication and registration methods),
I did a little research on our community space on slack and found a better one, I'll paste its content here but do check the original post here.

Wazuh doesn't have a specific functionality that allows users to rename an already registered agent, but there's a workaround to achieve this.
However, you'll not be able to keep all the logging data from the old agent.

1. Delete the agent and register it again with a new name (inconvenience: wazuh-agent has a new ID.

First, stop the wazuh-agent we want to rename:
systemctl stop wazuh-agent
Next, remove the wazuh-agent from the wazuh-manager. For this we can use for example the CLI tool /var/ossec/bin/manage_agents of the wazuh-manager. More info about removing agents here.
Once deleted,  register the agent with the new name.
You can perform this in two different ways:

• Using the  <enrollment> tag in ossec.confconfiguration file:

The following configuration block must be added to the ossec.conf file of the wazuh-agent (more information here).

<enrollment> <agent_name>YOUR_NEW_AGENT_NAME/agent_name> </enrollment>

Then start the wazuh-agent and wait a few seconds until the wazuh-agent requests a new key and registers with the new name but with a different ID.

• Registering manually with the agent-auth tool.

In the wazuh-agent, we can execute the command (more info here)
/var/ossec/bin/agent-auth -m <WAZUH-MANAGER-IP> -A <YOUR_NEW_AGENT_NAME>
and then start the `wazuh-agent:
systemctl start wazuh-agent
Note: The disadvantage of this process is that the agent will have a new ID after this process.

2. Re-register the agent using the POST API endpoint /agents/insert (from versions >= 4.3.0)
Disclaimer: There is an open issue where a bad agent status is reported after performing this process. I advise not to use this method until this issue is solved in the next versions. I mention this for visibility, as this would solve the problem of the agent having a new ID. In this case, using the POST /agents/insert API endpoint you can re-register the agent under the same ID and with a different name. More info here
The process would be to make a request to the API with the following payload:

{ "id": "001", "key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64", "name": "new_agent_name", "ip": "any", "force": { "enabled": true, "disconnected_time": { "enabled": false }, "after_registration_time": "0s" } }

You will see something similar to the following as a response:

{ "data": { "id": "001", "key": "<KEY>" }, "error": 0 }

where key is the wazuh-agent key. This key needs to be imported in the wazuh-agent. Have a look at importing the key to the agent documentation.

For example, you can do it easily running in the wazuh-agent:
/var/ossec/bin/manage_agents -i <NEW_KEY>
After following the steps and restarting the wazuh-agent, the wazuh-agent name is updated.
Remember that this method does not seem to work properly yet, so in case it is necessary to use it, keep an eye on the mentioned issue.I hope this helps you!

Let me know if you could achieve it with this one. 

[Igor Cantarelli]

Hi, Lucio!

Thanks for the answer, I didn't find something so enlightening on the forum. Appreciate it

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e6422433-fdf2-4c00-bb9a-23827c98558en%40googlegroups.com.