Agent update (small) issue
150 views
Skip to first unread message
Franck Ehret
Jun 2, 2023, 12:46:53 PM6/2/23
to Wazuh mailing list
Hi there,
Since a few versions, I have several client computers (Win 10, Win 11) that doesn't seems to update their agents when I push it.
But in real, the agent seems updated... Here is the control panel screenshot of agent N°208 that still reports version 4.3.10. The others, I've tried to cleanup the install when 4.4.2 was published (so uninstall + removal of folder) because I wanted to try a "clean" install" but it doesn't help.
All Windows computers are CIS hardened but all servers too and servers are not impacted (some updates crash once in a while, but nothing serious)
Any clue? Not problematic but a bit annoying because you never know where you are.
Thx in advance 😉
Thx in advance 😉
Nicolas Curioni
Jun 2, 2023, 4:04:50 PM6/2/23
to Wazuh mailing list
Hello Franck,
Thanks for sharing your doubts with the community.
This behavior you are mentioning could be related to some issue in the agents’ Inventory Database. This could be due to these DB’s are not being updated.
Please, try the following:
1- Stop the Wazuh manager service:
systemctl stop wazuh-manager`2- Remove the Inventory databases, related to the affected agents, in the manager. These are within the path /var/ossec/queue/db/<AGENT_ID>.db
3- Start the Wazuh Manager service
systemctl start wazuh-managerIn addition to this, please check if there is any error message in ossec.log file, related to wazuh-db.
I hope this information would be useful for you.
Best regards.
Franck Ehret
Jun 6, 2023, 7:46:10 AM6/6/23
to Wazuh mailing list
Hi,
I did try the procedure above and it didn't bring any change.
Before posting here, I did try to remove completely the agents with the manage_agents command to see if it makes a difference but it didn't change (this should delete the db files too if I'm correct)
It really seems it is reported as an older version from the client, event though it displays the right version in Control Panel.
Here is the installer log of one of the impacted clients:
=== Logging started: 06/06/2023 13:29:31 ===
Action start 13:29:31: INSTALL.
Action start 13:29:31: FindRelatedProducts.
Action ended 13:29:31: FindRelatedProducts. Return value 0.
Action start 13:29:31: CheckSvcRunning.
Action ended 13:29:32: CheckSvcRunning. Return value 0.
Action start 13:29:32: AppSearch.
Action ended 13:29:32: AppSearch. Return value 1.
Action start 13:29:32: ValidateProductID.
Action ended 13:29:32: ValidateProductID. Return value 1.
Action start 13:29:32: CostInitialize.
Action ended 13:29:32: CostInitialize. Return value 1.
Action start 13:29:32: FileCost.
Action ended 13:29:32: FileCost. Return value 1.
Action start 13:29:32: WixSetDefaultPerUserFolder.
Action ended 13:29:32: WixSetDefaultPerUserFolder. Return value 1.
Action start 13:29:32: WixSetDefaultPerMachineFolder.
Action ended 13:29:32: WixSetDefaultPerMachineFolder. Return value 1.
Action start 13:29:32: CostFinalize.
Action ended 13:29:32: CostFinalize. Return value 1.
Action start 13:29:32: MigrateFeatureStates.
Action ended 13:29:32: MigrateFeatureStates. Return value 0.
Action start 13:29:32: InstallValidate.
Action ended 13:29:32: InstallValidate. Return value 1.
Action start 13:29:32: InstallInitialize.
Action ended 13:29:32: InstallInitialize. Return value 1.
Action start 13:29:32: SetOSVersion10.
Action ended 13:29:32: SetOSVersion10. Return value 1.
Action start 13:29:32: ProcessComponents.
Action ended 13:29:32: ProcessComponents. Return value 1.
Action start 13:29:32: UnpublishFeatures.
Action ended 13:29:32: UnpublishFeatures. Return value 1.
Action start 13:29:32: SchedSecureObjectsRollback.
SchedSecureObjectsRollback: Entering SchedSecureObjectsRollback in C:\WINDOWS\Installer\MSI7A2A.tmp, version 3.11.4516.0
Action start 13:29:32: ExecSecureObjectsRollback.
Action ended 13:29:33: ExecSecureObjectsRollback. Return value 1.
Action ended 13:29:33: SchedSecureObjectsRollback. Return value 1.
Action start 13:29:33: StopServices.
Action ended 13:29:33: StopServices. Return value 1.
Action start 13:29:33: DeleteServices.
Action ended 13:29:33: DeleteServices. Return value 1.
Action start 13:29:33: RemoveRegistryValues.
Action ended 13:29:33: RemoveRegistryValues. Return value 1.
Action start 13:29:33: RemoveShortcuts.
Action ended 13:29:33: RemoveShortcuts. Return value 1.
Action start 13:29:33: RemoveFiles.
Action ended 13:29:33: RemoveFiles. Return value 1.
Action start 13:29:33: WixSchedInternetShortcuts.
WixSchedInternetShortcuts: Entering WixSchedInternetShortcuts in C:\WINDOWS\Installer\MSI7AD8.tmp, version 3.11.4516.0
WixSchedInternetShortcuts: Skipping shortcut for null-action component 'StartMenuShortcuts'
Action ended 13:29:33: WixSchedInternetShortcuts. Return value 1.
Action start 13:29:33: RemoveFolders.
Action ended 13:29:33: RemoveFolders. Return value 1.
Action start 13:29:33: CreateFolders.
Action ended 13:29:33: CreateFolders. Return value 1.
Action start 13:29:33: InstallFiles.
Action ended 13:29:33: InstallFiles. Return value 1.
Action start 13:29:33: CreateShortcuts.
Action ended 13:29:33: CreateShortcuts. Return value 1.
Action start 13:29:33: WixRollbackInternetShortcuts.
Action ended 13:29:33: WixRollbackInternetShortcuts. Return value 1.
Action start 13:29:33: WixCreateInternetShortcuts.
Action ended 13:29:33: WixCreateInternetShortcuts. Return value 1.
Action start 13:29:33: WriteRegistryValues.
Action ended 13:29:33: WriteRegistryValues. Return value 1.
Action start 13:29:33: InstallServices.
Action ended 13:29:33: InstallServices. Return value 1.
Action start 13:29:33: SchedSecureObjects.
SchedSecureObjects: Entering SchedSecureObjects in C:\WINDOWS\Installer\MSI7B65.tmp, version 3.11.4516.0
Action ended 13:29:33: SchedSecureObjects. Return value 1.
Action start 13:29:33: StartServices.
Action ended 13:29:33: StartServices. Return value 1.
Action start 13:29:33: RegisterUser.
Action ended 13:29:33: RegisterUser. Return value 0.
Action start 13:29:33: RegisterProduct.
Action ended 13:29:33: RegisterProduct. Return value 1.
Action start 13:29:33: PublishFeatures.
Action ended 13:29:33: PublishFeatures. Return value 1.
Action start 13:29:33: PublishProduct.
Action ended 13:29:33: PublishProduct. Return value 1.
Action start 13:29:33: RemoveExistingProducts.
Action ended 13:29:33: RemoveExistingProducts. Return value 0.
Action start 13:29:33: CloseGUI.
Action ended 13:29:33: CloseGUI. Return value 1.
Action start 13:29:33: InstallFinalize.
WixCreateInternetShortcuts: Entering WixCreateInternetShortcuts in C:\WINDOWS\Installer\MSI7BC4.tmp, version 3.11.4516.0
Action ended 13:29:33: InstallFinalize. Return value 1.
Action ended 13:29:33: INSTALL. Return value 1.
Property(S): UpgradeCode = {F495AC57-7BDE-4C4B-92D8-DBE40A9AA5A0}
Property(S): MAJORVERSION = #10
Property(S): BUILDVERSION = 19045
Property(S): APPLICATIONFOLDER = C:\Program Files (x86)\ossec-agent\
Property(S): WAZUHINSTALLED = Wazuh
Property(S): BIN = C:\Program Files (x86)\ossec-agent\active-response\bin\
Property(S): ACTIVE_RESPONSE = C:\Program Files (x86)\ossec-agent\active-response\
Property(S): SHARED = C:\Program Files (x86)\ossec-agent\shared\
Property(S): SECURITY_CONFIGURATION_ASSESSMENT = C:\Program Files (x86)\ossec-agent\ruleset\sca\
Property(S): SYSCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\syscollector\
Property(S): ProgramMenuDir = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\
Property(S): TMP = C:\Program Files (x86)\ossec-agent\tmp\
Property(S): QUEUE = C:\Program Files (x86)\ossec-agent\queue\
Property(S): DIFF = C:\Program Files (x86)\ossec-agent\queue\diff\
Property(S): FIM = C:\Program Files (x86)\ossec-agent\queue\fim\
Property(S): FIM_DB = C:\Program Files (x86)\ossec-agent\queue\fim\db\
Property(S): SYSCOLLECTOR_DB = C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
Property(S): LOGCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\logcollector\
Property(S): RULESET = C:\Program Files (x86)\ossec-agent\ruleset\
Property(S): BOOKMARKS = C:\Program Files (x86)\ossec-agent\bookmarks\
Property(S): LOGS = C:\Program Files (x86)\ossec-agent\logs\
Property(S): WODLES = C:\Program Files (x86)\ossec-agent\wodles\
Property(S): RIDS = C:\Program Files (x86)\ossec-agent\rids\
Property(S): SYSCHECK = C:\Program Files (x86)\ossec-agent\syscheck\
Property(S): INCOMING = C:\Program Files (x86)\ossec-agent\incoming\
Property(S): UPGRADE = C:\Program Files (x86)\ossec-agent\upgrade\
Property(S): WixUIRMOption = UseRM
Property(S): WixAppFolder = WixPerMachineFolder
Property(S): WIXUI_INSTALLDIR = APPLICATIONFOLDER
Property(S): ALLUSERS = 1
Property(S): Privileged = 1
Property(S): Installed = 00:00:00
Property(S): ARPNOMODIFY = yes
Property(S): ARPNOREPAIR = yes
Property(S): WixPerUserFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Local\Apps\ossec-agent
Property(S): OS_VERSION = 10
Property(S): WixPerMachineFolder = C:\Program Files (x86)\ossec-agent
Property(S): ExecSecureObjectsRollback = **********
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): TARGETDIR = C:\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): SourceDir = C:\Program Files (x86)\ossec-agent\
Property(S): VersionNT = 603
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): MsiLogging = v
Property(S): ARPPRODUCTICON = icon.ico
Property(S): WIXUI_EXITDIALOGOPTIONALCHECKBOXTEXT = Run Agent configuration interface
Property(S): ApplicationFolderName = ossec-agent
Property(S): Manufacturer = Wazuh, Inc.
Property(S): ProductCode = {292D4192-20CF-425F-9ADC-71198BB49E7B}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Wazuh Agent
Property(S): ProductVersion = 4.4.3
Property(S): DefaultUIFont = WixUI_Font_Normal
Property(S): WixUI_Mode = Advanced
Property(S): ErrorDialog = ErrorDlg
Property(S): SecureCustomProperties = ADDRESS;AGENT_NAME;AUTHD_PORT;AUTHD_SERVER;CERTIFICATE;GROUP;KEY;NOTIFY_TIME;OS_VERSION;PASSWORD;PEM;PROTOCOL;SERVER_PORT;TIME_RECONNECT;WAZUH_AGENT_GROUP;WAZUH_AGENT_NAME;WAZUH_KEEP_ALIVE_INTERVAL;WAZUH_MANAGER;WAZUH_MANAGER_PORT;WAZUH_PROTOCOL;WAZUH_REGISTRATION_CA;WAZUH_REGISTRATION_CERTIFICATE;WAZUH_REGISTRATION_KEY;WAZUH_REGISTRATION_PASSWORD;WAZUH_REGISTRATION_PORT;WAZUH_REGISTRATION_SERVER;WAZUH_TIME_RECONNECT;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ExecSecureObjects;ExecSecureObjectsRollback
Property(S): MsiLogFileLocation = C:\Program Files (x86)\ossec-agent\installer.log
Property(S): PackageCode = {2CA1A14E-8AF6-488A-A5F9-171FAFCFB657}
Property(S): ProductState = 5
Property(S): ProductToBeRegistered = 1
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = C:\Program Files (x86)\ossec-agent
Property(S): CLIENTUILEVEL = 3
Property(S): CLIENTPROCESSID = 3532
Property(S): MsiSystemRebootPending = 1
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 200
Property(S): VersionMsi = 5.00
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 1
Property(S): WindowsFolder = C:\WINDOWS\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\WINDOWS\system32\
Property(S): SystemFolder = C:\WINDOWS\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\WINDOWS\TEMP\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\
Property(S): FavoritesFolder = C:\WINDOWS\system32\config\systemprofile\Favorites\
Property(S): NetHoodFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\WINDOWS\system32\config\systemprofile\Documents\
Property(S): PrintHoodFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Local\
Property(S): MyPicturesFolder = C:\WINDOWS\system32\config\systemprofile\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\WINDOWS\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 4095
Property(S): VirtualMemory = 2973
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = Système
Property(S): UserSID = S-1-5-18
Property(S): UserLanguageID = 1036
Property(S): ComputerName = XXXXX
Property(S): SystemLanguageID = 1036
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 19
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 13:29:33
Property(S): Date = 06/06/2023
Property(S): MsiNetAssemblySupport = 4.8.4084.0
Property(S): MsiWin32AssemblySupport = 6.3.19041.2788
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): USERNAME = XXXXXX
Property(S): DATABASE = C:\WINDOWS\Installer\65e893e4.msi
Property(S): OriginalDatabase = C:\Program Files (x86)\ossec-agent\wazuh-agent-4.4.3-1.msi
Property(S): UILevel = 2
Property(S): ACTION = INSTALL
Property(S): WAZUHRUNNING = Stopped
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
Property(S): SOURCEDIR = C:\Program Files (x86)\ossec-agent\
Property(S): SourcedirProduct = {292D4192-20CF-425F-9ADC-71198BB49E7B}
MSI (s) (DC:8C) [13:29:33:991]: Product: Wazuh Agent -- Configuration completed successfully.
MSI (s) (DC:8C) [13:29:33:991]: Windows Installer a reconfiguré le produit. Nom du produit : Wazuh Agent. Version du produit : 4.4.3. Langue du produit : 1033. Fabricant : Wazuh, Inc.. Réussite de la reconfiguration ou état d’erreur : 0.
=== Logging stopped: 06/06/2023 13:29:33 ===
Action start 13:29:31: INSTALL.
Action start 13:29:31: FindRelatedProducts.
Action ended 13:29:31: FindRelatedProducts. Return value 0.
Action start 13:29:31: CheckSvcRunning.
Action ended 13:29:32: CheckSvcRunning. Return value 0.
Action start 13:29:32: AppSearch.
Action ended 13:29:32: AppSearch. Return value 1.
Action start 13:29:32: ValidateProductID.
Action ended 13:29:32: ValidateProductID. Return value 1.
Action start 13:29:32: CostInitialize.
Action ended 13:29:32: CostInitialize. Return value 1.
Action start 13:29:32: FileCost.
Action ended 13:29:32: FileCost. Return value 1.
Action start 13:29:32: WixSetDefaultPerUserFolder.
Action ended 13:29:32: WixSetDefaultPerUserFolder. Return value 1.
Action start 13:29:32: WixSetDefaultPerMachineFolder.
Action ended 13:29:32: WixSetDefaultPerMachineFolder. Return value 1.
Action start 13:29:32: CostFinalize.
Action ended 13:29:32: CostFinalize. Return value 1.
Action start 13:29:32: MigrateFeatureStates.
Action ended 13:29:32: MigrateFeatureStates. Return value 0.
Action start 13:29:32: InstallValidate.
Action ended 13:29:32: InstallValidate. Return value 1.
Action start 13:29:32: InstallInitialize.
Action ended 13:29:32: InstallInitialize. Return value 1.
Action start 13:29:32: SetOSVersion10.
Action ended 13:29:32: SetOSVersion10. Return value 1.
Action start 13:29:32: ProcessComponents.
Action ended 13:29:32: ProcessComponents. Return value 1.
Action start 13:29:32: UnpublishFeatures.
Action ended 13:29:32: UnpublishFeatures. Return value 1.
Action start 13:29:32: SchedSecureObjectsRollback.
SchedSecureObjectsRollback: Entering SchedSecureObjectsRollback in C:\WINDOWS\Installer\MSI7A2A.tmp, version 3.11.4516.0
Action start 13:29:32: ExecSecureObjectsRollback.
Action ended 13:29:33: ExecSecureObjectsRollback. Return value 1.
Action ended 13:29:33: SchedSecureObjectsRollback. Return value 1.
Action start 13:29:33: StopServices.
Action ended 13:29:33: StopServices. Return value 1.
Action start 13:29:33: DeleteServices.
Action ended 13:29:33: DeleteServices. Return value 1.
Action start 13:29:33: RemoveRegistryValues.
Action ended 13:29:33: RemoveRegistryValues. Return value 1.
Action start 13:29:33: RemoveShortcuts.
Action ended 13:29:33: RemoveShortcuts. Return value 1.
Action start 13:29:33: RemoveFiles.
Action ended 13:29:33: RemoveFiles. Return value 1.
Action start 13:29:33: WixSchedInternetShortcuts.
WixSchedInternetShortcuts: Entering WixSchedInternetShortcuts in C:\WINDOWS\Installer\MSI7AD8.tmp, version 3.11.4516.0
WixSchedInternetShortcuts: Skipping shortcut for null-action component 'StartMenuShortcuts'
Action ended 13:29:33: WixSchedInternetShortcuts. Return value 1.
Action start 13:29:33: RemoveFolders.
Action ended 13:29:33: RemoveFolders. Return value 1.
Action start 13:29:33: CreateFolders.
Action ended 13:29:33: CreateFolders. Return value 1.
Action start 13:29:33: InstallFiles.
Action ended 13:29:33: InstallFiles. Return value 1.
Action start 13:29:33: CreateShortcuts.
Action ended 13:29:33: CreateShortcuts. Return value 1.
Action start 13:29:33: WixRollbackInternetShortcuts.
Action ended 13:29:33: WixRollbackInternetShortcuts. Return value 1.
Action start 13:29:33: WixCreateInternetShortcuts.
Action ended 13:29:33: WixCreateInternetShortcuts. Return value 1.
Action start 13:29:33: WriteRegistryValues.
Action ended 13:29:33: WriteRegistryValues. Return value 1.
Action start 13:29:33: InstallServices.
Action ended 13:29:33: InstallServices. Return value 1.
Action start 13:29:33: SchedSecureObjects.
SchedSecureObjects: Entering SchedSecureObjects in C:\WINDOWS\Installer\MSI7B65.tmp, version 3.11.4516.0
Action ended 13:29:33: SchedSecureObjects. Return value 1.
Action start 13:29:33: StartServices.
Action ended 13:29:33: StartServices. Return value 1.
Action start 13:29:33: RegisterUser.
Action ended 13:29:33: RegisterUser. Return value 0.
Action start 13:29:33: RegisterProduct.
Action ended 13:29:33: RegisterProduct. Return value 1.
Action start 13:29:33: PublishFeatures.
Action ended 13:29:33: PublishFeatures. Return value 1.
Action start 13:29:33: PublishProduct.
Action ended 13:29:33: PublishProduct. Return value 1.
Action start 13:29:33: RemoveExistingProducts.
Action ended 13:29:33: RemoveExistingProducts. Return value 0.
Action start 13:29:33: CloseGUI.
Action ended 13:29:33: CloseGUI. Return value 1.
Action start 13:29:33: InstallFinalize.
WixCreateInternetShortcuts: Entering WixCreateInternetShortcuts in C:\WINDOWS\Installer\MSI7BC4.tmp, version 3.11.4516.0
Action ended 13:29:33: InstallFinalize. Return value 1.
Action ended 13:29:33: INSTALL. Return value 1.
Property(S): UpgradeCode = {F495AC57-7BDE-4C4B-92D8-DBE40A9AA5A0}
Property(S): MAJORVERSION = #10
Property(S): BUILDVERSION = 19045
Property(S): APPLICATIONFOLDER = C:\Program Files (x86)\ossec-agent\
Property(S): WAZUHINSTALLED = Wazuh
Property(S): BIN = C:\Program Files (x86)\ossec-agent\active-response\bin\
Property(S): ACTIVE_RESPONSE = C:\Program Files (x86)\ossec-agent\active-response\
Property(S): SHARED = C:\Program Files (x86)\ossec-agent\shared\
Property(S): SECURITY_CONFIGURATION_ASSESSMENT = C:\Program Files (x86)\ossec-agent\ruleset\sca\
Property(S): SYSCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\syscollector\
Property(S): ProgramMenuDir = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OSSEC\
Property(S): TMP = C:\Program Files (x86)\ossec-agent\tmp\
Property(S): QUEUE = C:\Program Files (x86)\ossec-agent\queue\
Property(S): DIFF = C:\Program Files (x86)\ossec-agent\queue\diff\
Property(S): FIM = C:\Program Files (x86)\ossec-agent\queue\fim\
Property(S): FIM_DB = C:\Program Files (x86)\ossec-agent\queue\fim\db\
Property(S): SYSCOLLECTOR_DB = C:\Program Files (x86)\ossec-agent\queue\syscollector\db\
Property(S): LOGCOLLECTOR = C:\Program Files (x86)\ossec-agent\queue\logcollector\
Property(S): RULESET = C:\Program Files (x86)\ossec-agent\ruleset\
Property(S): BOOKMARKS = C:\Program Files (x86)\ossec-agent\bookmarks\
Property(S): LOGS = C:\Program Files (x86)\ossec-agent\logs\
Property(S): WODLES = C:\Program Files (x86)\ossec-agent\wodles\
Property(S): RIDS = C:\Program Files (x86)\ossec-agent\rids\
Property(S): SYSCHECK = C:\Program Files (x86)\ossec-agent\syscheck\
Property(S): INCOMING = C:\Program Files (x86)\ossec-agent\incoming\
Property(S): UPGRADE = C:\Program Files (x86)\ossec-agent\upgrade\
Property(S): WixUIRMOption = UseRM
Property(S): WixAppFolder = WixPerMachineFolder
Property(S): WIXUI_INSTALLDIR = APPLICATIONFOLDER
Property(S): ALLUSERS = 1
Property(S): Privileged = 1
Property(S): Installed = 00:00:00
Property(S): ARPNOMODIFY = yes
Property(S): ARPNOREPAIR = yes
Property(S): WixPerUserFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Local\Apps\ossec-agent
Property(S): OS_VERSION = 10
Property(S): WixPerMachineFolder = C:\Program Files (x86)\ossec-agent
Property(S): ExecSecureObjectsRollback = **********
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): TARGETDIR = C:\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): SourceDir = C:\Program Files (x86)\ossec-agent\
Property(S): VersionNT = 603
Property(S): MSIRESTARTMANAGERCONTROL = Disable
Property(S): MsiLogging = v
Property(S): ARPPRODUCTICON = icon.ico
Property(S): WIXUI_EXITDIALOGOPTIONALCHECKBOXTEXT = Run Agent configuration interface
Property(S): ApplicationFolderName = ossec-agent
Property(S): Manufacturer = Wazuh, Inc.
Property(S): ProductCode = {292D4192-20CF-425F-9ADC-71198BB49E7B}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Wazuh Agent
Property(S): ProductVersion = 4.4.3
Property(S): DefaultUIFont = WixUI_Font_Normal
Property(S): WixUI_Mode = Advanced
Property(S): ErrorDialog = ErrorDlg
Property(S): SecureCustomProperties = ADDRESS;AGENT_NAME;AUTHD_PORT;AUTHD_SERVER;CERTIFICATE;GROUP;KEY;NOTIFY_TIME;OS_VERSION;PASSWORD;PEM;PROTOCOL;SERVER_PORT;TIME_RECONNECT;WAZUH_AGENT_GROUP;WAZUH_AGENT_NAME;WAZUH_KEEP_ALIVE_INTERVAL;WAZUH_MANAGER;WAZUH_MANAGER_PORT;WAZUH_PROTOCOL;WAZUH_REGISTRATION_CA;WAZUH_REGISTRATION_CERTIFICATE;WAZUH_REGISTRATION_KEY;WAZUH_REGISTRATION_PASSWORD;WAZUH_REGISTRATION_PORT;WAZUH_REGISTRATION_SERVER;WAZUH_TIME_RECONNECT;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ExecSecureObjects;ExecSecureObjectsRollback
Property(S): MsiLogFileLocation = C:\Program Files (x86)\ossec-agent\installer.log
Property(S): PackageCode = {2CA1A14E-8AF6-488A-A5F9-171FAFCFB657}
Property(S): ProductState = 5
Property(S): ProductToBeRegistered = 1
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = C:\Program Files (x86)\ossec-agent
Property(S): CLIENTUILEVEL = 3
Property(S): CLIENTPROCESSID = 3532
Property(S): MsiSystemRebootPending = 1
Property(S): PRODUCTLANGUAGE = 1033
Property(S): VersionDatabase = 200
Property(S): VersionMsi = 5.00
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 1
Property(S): WindowsFolder = C:\WINDOWS\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\WINDOWS\system32\
Property(S): SystemFolder = C:\WINDOWS\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\WINDOWS\TEMP\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\
Property(S): FavoritesFolder = C:\WINDOWS\system32\config\systemprofile\Favorites\
Property(S): NetHoodFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\WINDOWS\system32\config\systemprofile\Documents\
Property(S): PrintHoodFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\WINDOWS\system32\config\systemprofile\AppData\Local\
Property(S): MyPicturesFolder = C:\WINDOWS\system32\config\systemprofile\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\WINDOWS\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 4095
Property(S): VirtualMemory = 2973
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = Système
Property(S): UserSID = S-1-5-18
Property(S): UserLanguageID = 1036
Property(S): ComputerName = XXXXX
Property(S): SystemLanguageID = 1036
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 19
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 13:29:33
Property(S): Date = 06/06/2023
Property(S): MsiNetAssemblySupport = 4.8.4084.0
Property(S): MsiWin32AssemblySupport = 6.3.19041.2788
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): USERNAME = XXXXXX
Property(S): DATABASE = C:\WINDOWS\Installer\65e893e4.msi
Property(S): OriginalDatabase = C:\Program Files (x86)\ossec-agent\wazuh-agent-4.4.3-1.msi
Property(S): UILevel = 2
Property(S): ACTION = INSTALL
Property(S): WAZUHRUNNING = Stopped
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
Property(S): SOURCEDIR = C:\Program Files (x86)\ossec-agent\
Property(S): SourcedirProduct = {292D4192-20CF-425F-9ADC-71198BB49E7B}
MSI (s) (DC:8C) [13:29:33:991]: Product: Wazuh Agent -- Configuration completed successfully.
MSI (s) (DC:8C) [13:29:33:991]: Windows Installer a reconfiguré le produit. Nom du produit : Wazuh Agent. Version du produit : 4.4.3. Langue du produit : 1033. Fabricant : Wazuh, Inc.. Réussite de la reconfiguration ou état d’erreur : 0.
=== Logging stopped: 06/06/2023 13:29:33 ===
For me everything normal, but I can't be 100% sure.
Anything else I could check/try?
Kind regards
Franck
Nicolas Curioni
Jun 7, 2023, 4:02:32 PM6/7/23
to Wazuh mailing list
Hello Franck,
Thanks for your reply.
Looking at the installation logs that you provided, everything looks correct. Maybe we could look for error messages related to wazuh-db in C:\Program Files (x86)ossec-agent\ossec.log file.
Regarding what you’ve mentioned related to remove completely the agents with the manage_agents command, just a clarification. This command does not remove Wazuh from the agent, it just unregisters the agent from the manager. So, the mentioned files, were not deleted by running that command.
I hope this information would be useful for you.
Best regards.
Franck Ehret
Jun 23, 2023, 9:01:49 AM6/23/23
to Wazuh mailing list
Hello,
I didn't find any db errors in the log.
In terms of unregistration, this isn't the best way anyway, so to test with other agents that hadn't updated, I copied the key files, uninstalled the agent and deleted the entire folder before reinstalling and copying the keys back.
Result: impeccable, the agent correctly reports the new version, which confirms quite strongly the idea that something isn't happening correctly on the client itself.
If something was wrong on the server side, a full reinstall wouldn't help, right?
I didn't find any db errors in the log.
In terms of unregistration, this isn't the best way anyway, so to test with other agents that hadn't updated, I copied the key files, uninstalled the agent and deleted the entire folder before reinstalling and copying the keys back.
Result: impeccable, the agent correctly reports the new version, which confirms quite strongly the idea that something isn't happening correctly on the client itself.
If something was wrong on the server side, a full reinstall wouldn't help, right?
Kind regards
Franck
Nicolas Curioni
Jun 27, 2023, 3:53:31 PM6/27/23
to Wazuh mailing list
Hello Franck,
I hope this message finds you well. Sorry for the late response.
Thanks for the provided feedback. As you mentioned, reinstalling the server won’t help on this behavior. This seems to be related with the agents not updating the Inventory DB’s.
An additional test that could be performed is to activate debug mode and see if we can get some error logs. To do so, modify the /var/ossec/etc/local_internal_options.conf file and set the option wazuh_database.sync_agents=2. You can also enable debug mode for the agent, modifying the file /var/ossec/etc/local_internal_options.conf (in the agent), setting the option windows.debug=0.
You can find information related to this topic in the following link:
I hope this information would be useful for you.
Best regards.
Reply all
Reply to author
Forward
0 new messages