Re: Wazuh cluster using load balancer keeps showing agents as never connected

254 views
Skip to first unread message
Message has been deleted

Alberto Rodriguez

unread,
Dec 27, 2021, 1:44:31 AM12/27/21
to Wazuh mailing list

Hello

Sorry for the late response. What Windows version use the installed agent? We explain here: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/deployment-variables/deployment-variables-windows.html that, in Windows versions older than Windows Server 2008 or Windows 7, it’s necessary to run the wazuh-authd program on the Wazuh manager with the -a flag or set the <ssl_auto_negotiate> option to yes on the auth configuration to avoid compatibility errors.
Could that be your case?


Regards, 

Alberto R

On Wednesday, December 15, 2021 at 10:21:26 AM UTC+1 jobem...@gmail.com wrote:
HI,

I have setup a Wazuh cluster with 3 Wazuh nodes(manager, 2 workers), an elastic node(kibana, elasticsearch) and a load balancer.

When the agent is deployed to the workstations some work and some dont. The agent script is:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.5-1.msi -OutFile wazuh-agent.msi; ./wazuh-agent.msi /q WAZUH_MANAGER=' LOADBALANCERIP' WAZUH_REGISTRATION_SERVER='LOADBALANCERIP'

As i as said some agents are working but then the other 9 i deploy to cant. Its deployed using a RMM tools which runs a batch file which works fine. The weird thing is sometimes the agents showing as never connected will just come online after a week or so. What i have done is attached the ossec.log and conf of  agent to see if that has anything im missing. Its keeps throwing up a SSL read error. The below error will show repeat until it works:

No authentication password provided 2021/11/30 15:19:51 wazuh-agent: INFO: Using agent name as: Redacted 2021/11/30 15:19:51 wazuh-agent: INFO: Waiting for server reply 2021/11/30 15:19:51 wazuh-agent: ERROR: SSL read (unable to receive message) 2021/11/30 15:19:51 wazuh-agent: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect! 2021/11/30 15:19:56 wazuh-agent: INFO: Requesting a key from server: cg-lb.vipertd.io/139.59.178.230

I have attached a screenshot showing that there are loads of agents with never connected but then one will work out of nowhere -



Ive also attached my LB conf, its a linux box with nginx LB -

stream {
    upstream master {
        server WAZ-Manager:1515;
    }

    upstream mycluster {
    hash $remote_addr consistent;
        server  WAZ-Manager:1514;
        server  WAZ-Worker1:1514;
        server  WAZ-Worker2:1514;
    }

    server {
        listen 1515;
        proxy_pass master;
    }

    server {
        listen 1514;
        proxy_pass mycluster;
    }
}

Wazuh Manager cluster conf - 
<auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>yes</force_insert>
    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>WAZ-Clust</name>
    <node_name>wc-main</node_name>
    <node_type>master</node_type>
    <key>Redacted</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>ManagerIP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>

Worker conf - 
<auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force_insert>yes</force_insert>
    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <name>WAZ-Clust</name>
    <node_name>wc-worker1</node_name>
    <node_type>worker</node_type>
    <key>93c56f11ce46fdba2763ca8450dc7680</key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>ManagerIP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>no</disabled>
  </cluster>

Any help would be great,
Reply all
Reply to author
Forward
0 new messages