Unfinished agent registration
Miroslav M
Wazuh agent_control. List of available agents:
ID: 000, Name: wazuh (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: zimbra, IP: any, Never connected
ID: 003, Name: mail, IP: any, Never connected
List of agentless devices:
2022/01/21 12:51:33 wazuh-authd: INFO: Received request for a new agent (mail) from: 172.17.60.13
2022/01/21 12:51:33 wazuh-authd: INFO: Duplicate name 'mail' (003).
2022/01/21 12:51:33 wazuh-authd: INFO: Agent '003' key already exists on the manager.
2022/01/21 12:51:16 wazuh-agentd: ERROR: (1216): Unable to connect to '192.168.60.20:1514/tcp': 'Connection refused'.
2022/01/21 12:51:16 wazuh-agentd: INFO: Requesting a key from server: 192.168.60.20
2022/01/21 12:51:16 wazuh-agentd: INFO: No authentication password provided
2022/01/21 12:51:16 wazuh-agentd: INFO: Using agent name as: mail
2022/01/21 12:51:16 wazuh-agentd: INFO: Waiting for server reply
2022/01/21 12:51:16 wazuh-agentd: ERROR: Duplicate agent name: mail (from manager)
2022/01/21 12:51:16 wazuh-agentd: ERROR: Unable to add agent (from manager)
2022/01/21 12:51:26 wazuh-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '192.168.60.20'.
2022/01/21 12:51:26 wazuh-agentd: WARNING: Unable to connect to any server.
2022/01/21 12:51:26 wazuh-agentd: INFO: Trying to connect to server (192.168.60.20:1514/tcp).
2022/01/21 12:51:26 wazuh-agentd: ERROR: (1216): Unable to connect to '192.168.60.20:1514/tcp': 'Connection refused'.
Pedro Nicolás Gomez
Hi, thanks for using Wazuh.
Based on the logs displayed, it looks like there is a naming conflict or a network problem.
Name conflict: as we can see there is already an agent registered with the name "mail" so when you try to register another agent with the name "mail" it fails:
2022/01/21 12:51:33 wazuh-authd: INFO: Duplicate name 'mail' (003).
In this case we must make sure that there is only one agent with the name "mail", if you are sure of this we can remove the agent previously registered with the name "mail" and register it again, for this we follow the following steps:
Stop the agent:
On the agent side we execute:
/var/ossec/bin/wazuh-control stop
Delete the old agent:
On the manager side we execute:
/var/ossec/bin/manage_agents -r 003
Note that 003 is the ID related to the agent with name "mail" previously registered.
Register the agent again:
On the agent side we execute:
/var/ossec/bin/agent-auth -m MANAGER_IP -A mail
Then, start the agent:
/var/ossec/bin/wazuh-control start
Network problem:
Please have in mind that Wazuh uses by default ports 1515/TCP for registration and 1514/TCP for communication.
I may suggest you to check if you have a connection through these ports (check firewall rules ...)
In case some of these ports are closed, open them and then, restart both wazuh manager and agent.
Also make sure that the agent and the manager use the same communication protocol.<client>
<server>
…
…
</server>
</client>
On the manager side, in the ossec.conf file in the <remote> section:
<remote>
…
<port>1514</port>
<protocol>tcp</protocol>
…
</remote>
I hope it helps.
Best regards, Pedro Nicolas.