Duplicated Agent

52 views
Skip to first unread message

Matias

unread,
Dec 1, 2022, 11:19:23 AM12/1/22
to Wazuh mailing list
Hello team wazuh.
A few days ago I had a problem with many agents.
They were automatically duplicated and registered with the hostname.
To register the agents, use this method.
https://documentation.wazuh.com/current/user-manual/agent-enrollment/via-manager-API/index.html

The version of wazuh manager is 4.3.8
The version of the agents is 4.3.9.1

Santiago David Vendramini

unread,
Dec 1, 2022, 2:22:16 PM12/1/22
to Wazuh mailing list
The problem may be due to the connection being lost, so after 5 failed reconnection attempts the agent tries to register again.

This can be avoided by modifying the enrrollment block of the agent's /var/ossec/etc/ossec.conf file with the agent name you need it to have:

agent-enrollment documentation
agent-name reference

Example

    <client>
        <enrollment>
            <agent_name>EXAMPLE_NAME</agent_name>
            <groups>GROUP1,GROUP2,GROUP3</groups>
        </enrollment>
    </client>


If you want to register them again with the previous names, you can configure the force block of the manager's /var/ossec/etc/ossec.conf file:

force reference

Example:

    <force>
        <enabled>yes</enabled>
          <disconnected_time enabled="yes">1h</disconnected_time>
          <after_registration_time>1h</after_registration_time>
          <key_mismatch>yes</key_mismatch>
    </force>



I hope this solves your need. Let me know if you need anything else!
Best Regards!

Matias

unread,
Dec 1, 2022, 2:48:55 PM12/1/22
to Wazuh mailing list
Just one more question, should I do those configurations in the wazuh manager or in the wazuh agent?

Santiago David Vendramini

unread,
Dec 2, 2022, 9:06:18 AM12/2/22
to Wazuh mailing list
Agent configuration: This can be avoided by modifying the enrrollment block of the agent's /var/ossec/etc/ossec.conf file with the agent name you need it to have:


agent-enrollment documentation
agent-name reference

Example

    <client>
        <enrollment>
            <agent_name>EXAMPLE_NAME</agent_name>
            <groups>GROUP1,GROUP2,GROUP3</groups>
        </enrollment>
    </client>


Manager configuration: If you want to register them again with the previous names, you can configure the force block of the manager's /var/ossec/etc/ossec.conf file:


force reference

Example:

    <force>
        <enabled>yes</enabled>
          <disconnected_time enabled="yes">1h</disconnected_time>
          <after_registration_time>1h</after_registration_time>
          <key_mismatch>yes</key_mismatch>
    </force>


Matias

unread,
Dec 2, 2022, 1:24:30 PM12/2/22
to Wazuh mailing list
This solution did not work on the agent's side, the code gave me an error, however, I studied the documentation that you gave me a little more and I was able to find the solution
use the following code
<client>
 <enrollment>
    <enabled>yes</enabled>
    <manager_address>192.168.1.100</manager_address>
    <port>1514</port>
    <agent_name>agent</agent_name>
    <groups>Group1</groups>
    <agent_address>192.168.0.110</agent_address>
    <ssl_cipher>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ssl_cipher>
    <server_ca_path>/path/to/server_ca</server_ca_path>
    <agent_certificate_path>/path/to/agent.cert</agent_certificate_path>
    <agent_key_path>/path/to/agent.key</agent_key_path>
    <authorization_pass_path>/path/to/agent.pass</authorization_pass_path>
    <auto_method>no</auto_method>
    <delay_after_enrollment>20</delay_after_enrollment>
    <use_source_ip>no</use_source_ip>
  </enrollment>
<\client>

to restore the previous agent I put the key it had before
Reply all
Reply to author
Forward
0 new messages