What happens when an agent changes from network to network?
133 views
Skip to first unread message
Joaquim António
Oct 27, 2023, 9:23:54 AM10/27/23
to Wazuh | Mailing List
Hello Wazuh Team,
Suppose we have a laptop with the agent installed. It registers to the Wazuh server in a certain network and starts sending data. But later, the laptop is used in another network. Is that laptop still being monitored and does it show another IP different from the IP used during enrollment?
In addition, if the IP of the laptop is always given by DHCP, and the IP showing in Wazuh is APIPA (169.254.x.x), how can we change it to the actual IP, that may be in another interface?
Thank your for your time,
Joaquim Antonio
David Correa Rodriguez
Oct 30, 2023, 7:23:40 AM10/30/23
to Wazuh | Mailing List
Hello.
This situation is quite common where agent IP addresses are under NAT and with a DHCP server where they change constantly. When updating the manager, certain restrictions may be applied that were not previously taken into account. I propose that you manually register agents experiencing these issues through the command line of each agent.
In case the IP address of the laptop changes, the Wazuh agent will be connected to the Wazuh manager, as the manager's IP did not change, but the manager will not recognize the Wazuh agent.
In case you want to handle this manually, I would recommend you to take a look at this [documentation](https://documentation.wazuh.com/current/development/client-keys.html). To manage this, you have to change the `client.keys` config and specify the new IP address of the Wazuh agent. Then, restart the Wazuh manager executing the `systemctl restart wazuh-manager`
Another alternative is to use the `agent-auth` tool. In the agent, execute the command `/var/ossec/bin/agent-auth -m <manager_IP> -I any [-A <agent_name>]`. It's important to include the 'any' keyword since it allows the agent to change its IP. It might be a good idea to specify a unique name to every agent as well.
Hope it helps. Regards.
This situation is quite common where agent IP addresses are under NAT and with a DHCP server where they change constantly. When updating the manager, certain restrictions may be applied that were not previously taken into account. I propose that you manually register agents experiencing these issues through the command line of each agent.
In case the IP address of the laptop changes, the Wazuh agent will be connected to the Wazuh manager, as the manager's IP did not change, but the manager will not recognize the Wazuh agent.
In case you want to handle this manually, I would recommend you to take a look at this [documentation](https://documentation.wazuh.com/current/development/client-keys.html). To manage this, you have to change the `client.keys` config and specify the new IP address of the Wazuh agent. Then, restart the Wazuh manager executing the `systemctl restart wazuh-manager`
Another alternative is to use the `agent-auth` tool. In the agent, execute the command `/var/ossec/bin/agent-auth -m <manager_IP> -I any [-A <agent_name>]`. It's important to include the 'any' keyword since it allows the agent to change its IP. It might be a good idea to specify a unique name to every agent as well.
Hope it helps. Regards.
Reply all
Reply to author
Forward
0 new messages