Agent double registration
804 views
Skip to first unread message
Franck Ehret
Jan 21, 2022, 1:50:45 AM1/21/22
to Wazuh mailing list
Hi there,
I've in my infrastructure, I have 2 different sites and it seems tonight, I had a network interruption, confirmed by a few alerts & logs around 3:40AM.
Things is, 3 different machines of a distant site (all Windows 2022 core - 2 DCs and a test server) did register themselves again, creating a double entry and putting themselves in the default group.
Here is a sample where I can assure you, IPs are the same, but agent names switched from FQDN to short name :
I don't know if it relates to Windows 2022, but I have also 2 Linux servers (AlmaLinux 8.5) and 2 Windows machines on that site that did create that issue (Win 2019 & Windows 10)
Do you know how such thing can happen and how it can be avoided? Of course, I can give you some logs if you tell me which ones.
And if possible : is there anyway to reconnect them to previous agent number, avoiding to lose all history and keep thing neat... 😉
Thanks in advance and best regards
Franck
Message has been deleted
Miguel Verdaguer Velazquez
Jan 26, 2022, 8:30:54 AM1/26/22
to Wazuh mailing list
Hi Franck
To avoid it in the future, set the enrollment configuration, check this for more information:
https://documentation.wazuh.com/current/user-manual/registering/agent-enrollment.html.
You'll need to modify /var/ossec/etc/ossec.conf in the agent and add the deployment variables you need.
To change the name and id of an agent you can use a little trick. Stop both the services for the agent and manager and modify the file /var/ossec/etc/client.keys in both. This file contains a line for each agent with the format:
ID AGENT-NAME IP KEYTo avoid it in the future, set the enrollment configuration, check this for more information:
https://documentation.wazuh.com/current/user-manual/registering/agent-enrollment.html.
You'll need to modify /var/ossec/etc/ossec.conf in the agent and add the deployment variables you need.
To change the name and id of an agent you can use a little trick. Stop both the services for the agent and manager and modify the file /var/ossec/etc/client.keys in both. This file contains a line for each agent with the format:
Look for the agent you want to change and modify it in the same way in both agent and manager. Start both services and it should appear with the desired id and name. Hope it helps.
Best regards,
Miguel
Best regards,
Miguel
jeremias...@wazuh.com
Jan 26, 2022, 9:09:13 AM1/26/22
to Wazuh mailing list
Hello Franck.
I want to add:
If you used an installation with deployment variables, like WAZUH_AGENT_NAME, Wazuh Agent will register using the provided custom name. The same if after an installation you run agent-auth with the -A option.
Both scenarios will register the agent with the custom name but won´t configure enrollment for future registrations. Enrollment is the feature in charge of automatically register an agent when it has empty or invalid keys.
It seems that your agent was first registered using a custom name, and after that registered (probably because of enrollment) using the default host-name.
As Miguel said, configuring enrollment with the expected name will prevent the agent from re-registering with a different name. i.e.:
<client>
...
<enrollment>
<agent_name>CUSTOM_NAME</agent_name>
</enrollment>
</client>
It will also avoid the agent re-registration, because if the agent fails to connect with the manager (maybe because of temporary network issues), it will assume a possible invalid key and will requests a new one. Having the custom name configured on enrollment block it will request it with this name and the manager will detect the duplicated name and reject this registration.
Sadly, the agent block of the configuration isn´t modifiable with centralized configuration. So, my suggestion is to use a tool like Puppet or Ansible to generate a massive modification of the ossec.conf file on different agents.
The current behavior of the deployment variables is a lack of functionality that is being worked on this PR. We expect to have this fixed ASAP.
Regarding the ID modification, as Miguel said, it is possible by manually editing the agent client.keys (all the agent DBs will be re-created and re-synced after this), but, it isn´t really necessary because the ID is just an identifier and you won´t have problems keeping it.
Let us know if this helps.
And if you have further questions, please don´t hesitate to ask.
Franck Ehret
Feb 1, 2022, 7:41:32 AM2/1/22
to Wazuh mailing list
Hi Miguel,
I did answer to you, but apparently, the message was straight away deleted, probably because it is treated as spam (I did put 2 PowerShell commands I used)
Can you check on your side and try to restore it please ? It doesn't make sense if I write it again with the same result! 😉
Miguel Verdaguer
Feb 1, 2022, 11:50:23 AM2/1/22
to wa...@googlegroups.com
Hi Franck,
I did get the message, but privately, not through the mailing list. Try to answer always through the mailing list better, thanks.
I don't understand your question on the enrollment configuration block. To use it you have to modify the file ossec.conf in the agent, located at /var/ossec/etc/ossec.conf . You have to add the block you can see here: https://documentation.wazuh.com/current/user-manual/registering/agent-enrollment.html as an example and modify it with your own values.
Hope it helps!
Miguel
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/XcJlR7ewY1A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/595979cd-4253-4e7e-a7a9-7fecc65892a7n%40googlegroups.com.
Franck Ehret
Feb 1, 2022, 12:55:00 PM2/1/22
to Miguel Verdaguer, wa...@googlegroups.com
Hi Miguel,
I wanted to know if there is a dynamic way to populate that block (esp. the variable agent_name), but I don't think it's possible without a 3rd party software, no (Jeremias mentioned something)
I'll also check to increase the reconnexion
If it the case, I'll update manually those servers, it's only 4 of them to edit.
As usual, many thanks for you help, next question will come soon! 😋
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/192e9c1b-bd70-4451-c5a0-4f95f7d5bf42%40wazuh.com.
Miguel Verdaguer
Feb 2, 2022, 5:01:25 AM2/2/22
to Franck Ehret, wa...@googlegroups.com
Hi Franck,
Without 3rd party software I'm afraid you cannot. Any other question, we're here for you.
Best regards,
Miguel
Juan Carlos
Feb 14, 2022, 7:39:44 AM2/14/22
to Wazuh mailing list
Hi Franck,
I wanted to mention that although the current version (Wazuh v4.2.5) does not dynamically populate the block this is a feature added into our next version (v4.3.0) which is currently in its final stages of QA.
The feature is added specifically in this PR: https://github.com/wazuh/wazuh/pull/10978
So soon enough it won't require manually editing (or using 3rd party software).
I hope this helps.
Best regards,
Juan Carlos Tello
Franck Ehret
Feb 14, 2022, 9:48:41 AM2/14/22
to Wazuh mailing list
Hi Juan Carlos,
Looks cool, can't wait! :-)
Reply all
Reply to author
Forward
0 new messages