Duplicated Agent
60 views
Skip to first unread message
Matias
Dec 1, 2022, 11:19:23 AM12/1/22
to Wazuh mailing list
Hello team wazuh.
A few days ago I had a problem with many agents.
They were automatically duplicated and registered with the hostname.
To register the agents, use this method.
https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
The version of wazuh manager is 4.3.8
The version of the agents is 4.3.9.1
A few days ago I had a problem with many agents.
They were automatically duplicated and registered with the hostname.
To register the agents, use this method.
https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html
The version of wazuh manager is 4.3.8
The version of the agents is 4.3.9.1
Santiago David Vendramini
Dec 1, 2022, 2:22:16 PM12/1/22
to Wazuh mailing list
The problem may be due to the connection being lost, so after 5 failed reconnection attempts the agent tries to register again.
This can be avoided by modifying the enrrollment block of the agent's /var/ossec/etc/ossec.conf file with the agent name you need it to have:
agent-enrollment documentation
agent-name reference
Example
<client>
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
<groups>GROUP1,GROUP2,GROUP3</groups>
</enrollment>
</client>
If you want to register them again with the previous names, you can configure the force block of the manager's /var/ossec/etc/ossec.conf file:
force reference
Example:
<force>
<enabled>yes</enabled>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
I hope this solves your need. Let me know if you need anything else!
Best Regards!
This can be avoided by modifying the enrrollment block of the agent's /var/ossec/etc/ossec.conf file with the agent name you need it to have:
agent-enrollment documentation
agent-name reference
Example
<client>
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
<groups>GROUP1,GROUP2,GROUP3</groups>
</enrollment>
</client>
If you want to register them again with the previous names, you can configure the force block of the manager's /var/ossec/etc/ossec.conf file:
force reference
Example:
<force>
<enabled>yes</enabled>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
I hope this solves your need. Let me know if you need anything else!
Best Regards!
Matias
Dec 1, 2022, 2:48:55 PM12/1/22
to Wazuh mailing list
Just one more question, should I do those configurations in the wazuh manager or in the wazuh agent?
Santiago David Vendramini
Dec 2, 2022, 9:06:18 AM12/2/22
to Wazuh mailing list
Agent configuration: This can be avoided by modifying the enrrollment block of the agent's /var/ossec/etc/ossec.conf file with the agent name you need it to have:
agent-enrollment documentation
agent-name reference
Example
<client>
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
<groups>GROUP1,GROUP2,GROUP3</groups>
</enrollment>
</client>
Manager configuration: If you want to register them again with the previous names, you can configure the force block of the manager's /var/ossec/etc/ossec.conf file:
force reference
Example:
<force>
<enabled>yes</enabled>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
agent-enrollment documentation
agent-name reference
Example
<client>
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
<groups>GROUP1,GROUP2,GROUP3</groups>
</enrollment>
</client>
force reference
Example:
<force>
<enabled>yes</enabled>
<disconnected_time enabled="yes">1h</disconnected_time>
<after_registration_time>1h</after_registration_time>
<key_mismatch>yes</key_mismatch>
</force>
Matias
Dec 2, 2022, 1:24:30 PM12/2/22
to Wazuh mailing list
This solution did not work on the agent's side, the code gave me an error, however, I studied the documentation that you gave me a little more and I was able to find the solution
use the following code
<client>
<enrollment>
<enabled>yes</enabled>
<manager_address>192.168.1.100</manager_address>
<port>1514</port>
<agent_name>agent</agent_name>
<groups>Group1</groups>
<agent_address>192.168.0.110</agent_address>
<ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
<server_ca_path>/path/to/server_ca</server_ca_path>
<agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
<agent_key_path>/path/to/agent.key</agent_key_path>
<authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
<auto_method>no</auto_method>
<delay_after_enrollment>20</delay_after_enrollment>
<use_source_ip>no</use_source_ip>
</enrollment>
<\client>
<enabled>yes</enabled>
<manager_address>192.168.1.100</manager_address>
<port>1514</port>
<agent_name>agent</agent_name>
<groups>Group1</groups>
<agent_address>192.168.0.110</agent_address>
<ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
<server_ca_path>/path/to/server_ca</server_ca_path>
<agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
<agent_key_path>/path/to/agent.key</agent_key_path>
<authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
<auto_method>no</auto_method>
<delay_after_enrollment>20</delay_after_enrollment>
<use_source_ip>no</use_source_ip>
</enrollment>
<\client>
to restore the previous agent I put the key it had before
Reply all
Reply to author
Forward
0 new messages