Automatic update of agents for Windows platforms does not work.

[Carlos Lopez]

Good morning,

I have enabled automatic agent update only for my Windows platforms. To accomplish this, I have configured in my wazuh manager and all workers:

<agent-upgrade>
<chunk_size>16384</chunk_size>
<wpk_repository>packages.wazuh.com/wpk/</wpk_repository>
<max_threads>1/max_threads>
</agent-upgrade>

In all my Windows agents config:

<agent-upgrade>
<enabled>yes</enabled>
<notification_wait_start>60s</notification_wait_start>
<notification_wait_factor>4</notification_wait_factor>
<notification_wait_max>2h</notification_wait_max>
<ca_verification>
<enabled>yes</enabled>
<ca_store>C:\Program Files (x86)\ossec-agent\wpk_root.pem</ca_store>
</ca_verification>
</agent-upgrade>

After 2 hours no agent is updated. All are still on version 4.1.2. My manager and workers are in 4.1.4 release (I am using shared config to control all options for the agents).

For communication between agents and servers, only the port defined in the <remote> section is authorized. All other ports are blocked for agents.

Do I need to open some additional port betwen agents and servers? Or maybe my config is wrong?

Regards.

[Juan Carlos]

Hi Carlos,

The Wazuh Remote Upgrading feature of agents ( https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/index.html ) allows the Wazuh system administrator to push updates to the agents connected to a given Wazuh manager without needing to log on to each agent.

This feature was significantly enhanced in Wazuh 4.0 to enable the request of multiple agents to be updated simultaneously.

Currently this does not automatically update outdated agents until it is requested by the user. We will take this use case into account for future developments.

In order to update the agents you may use the Upgrade Agents API call or the /var/ossec/bin/agent_upgrade utility.

In order to upgrade up to 100 agents at a time you may for example use the attached python script (upgrade_agents.py) that interacts with the API to request the outdated agents and then request their upgrade.

I've based this script from this section of our documentation: https://documentation.wazuh.com/current/user-manual/api/getting-started.html#logging-into-the-wazuh-api-via-scripts

Let me know if this helps.

Best Regards,
Juan Carlos Tello

[Carlos Lopez]

Hi Juan Carlos,

The agent_upgrade command does not seem to work (I try to upgrade agents from version 4.1.2 to 4.1.4):

root@wazuh-master:~# agent_control -i 003

Wazuh agent_control. Agent information:
Agent ID: 003
Agent Name: CL32517C.local
IP address: any/any
Status: Active

Operating system: Microsoft Windows Server 2019 Standard
Client version: Wazuh v4.1.2
Configuration hash: 720c630634b378f7be22d49bfef0b36e
Shared file hash: 69272bb2931cda696f28c4cd867fb900
Last keep alive: 1617691835

Syscheck last started at: Unknown
Syscheck last ended at: Unknown
Rootcheck last started at: Unknown
root@wazuh-master:~# agent_upgrade -a 003

Upgrading...

Failed upgrades:
Agent 003 status: The version of the WPK does not exist in the repository

________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Juan Carlos <juancarl...@wazuh.com>
Sent: 05 April 2021 16:35
To: Wazuh mailing list
Subject: Re: Automatic update of agents for Windows platforms does not work.

Hi Carlos,

The Wazuh Remote Upgrading feature of agents ( https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/index.html ) allows the Wazuh system administrator to push updates to the agents connected to a given Wazuh manager without needing to log on to each agent.
This feature was significantly enhanced in Wazuh 4.0 to enable the request of multiple agents to be updated simultaneously.

Currently this does not automatically update outdated agents until it is requested by the user. We will take this use case into account for future developments.

In order to update the agents you may use the Upgrade Agents API<https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.put_upgrade_agents> call or the /var/ossec/bin/agent_upgrade<https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html#using-the-command-line> utility.

In order to upgrade up to 100 agents at a time you may for example use the attached python script (upgrade_agents.py) that interacts with the API to request the outdated agents and then request their upgrade.

I've based this script from this section of our documentation: https://documentation.wazuh.com/current/user-manual/api/getting-started.html#logging-into-the-wazuh-api-via-scripts

Let me know if this helps.
Best Regards,
Juan Carlos Tello

On Thursday, April 1, 2021 at 10:25:56 AM UTC+2 Carlos Lopez wrote:
Good morning,

I have enabled automatic agent update only for my Windows platforms. To accomplish this, I have configured in my wazuh manager and all workers:

<agent-upgrade>
<chunk_size>16384</chunk_size>
<wpk_repository>packages.wazuh.com/wpk/<http://packages.wazuh.com/wpk/></wpk_repository>
<max_threads>1/max_threads>
</agent-upgrade>

In all my Windows agents config:

<agent-upgrade>
<enabled>yes</enabled>
<notification_wait_start>60s</notification_wait_start>
<notification_wait_factor>4</notification_wait_factor>
<notification_wait_max>2h</notification_wait_max>
<ca_verification>
<enabled>yes</enabled>
<ca_store>C:\Program Files (x86)\ossec-agent\wpk_root.pem</ca_store>
</ca_verification>
</agent-upgrade>

After 2 hours no agent is updated. All are still on version 4.1.2. My manager and workers are in 4.1.4 release (I am using shared config to control all options for the agents).

For communication between agents and servers, only the port defined in the <remote> section is authorized. All other ports are blocked for agents.

Do I need to open some additional port betwen agents and servers? Or maybe my config is wrong?

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8e5c9aae-6e73-41ab-be50-48387a68fa62n%40googlegroups.com<https://groups.google.com/d/msgid/wazuh/8e5c9aae-6e73-41ab-be50-48387a68fa62n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Carlos Lopez]

More info. Same error using API:

{
"data": {
"affected_items": [
{
"message": "Success",
"agent": "003",
"task_id": 3,
"node": "wazuh-node01.my.domain.com",
"module": "upgrade_module",
"command": "upgrade",
"status": "Error",
"error_msg": "The version of the WPK does not exist in the repository",
"create_time": "2021/04/06 07:12:06",
"update_time": "2021/04/06 07:12:06"
}
],
"total_affected_items": 1,
"total_failed_items": 1,
"failed_items": [
{
"error": {
"code": 1813,
"message": "No task in DB",
"remediation": null
},
"id": [
"002"
]
}
]
},
"message": "Some agents have not been updated",
"error": 2
}

________________________________________
From: Carlos Lopez <clo...@outlook.com>
Sent: 06 April 2021 08:54
To: Juan Carlos; Wazuh mailing list

[Juan Carlos]

Hello Carlos,

This is because the path specified in the manager's configuration is using an outdated URL. If you wish to use the default settings you do not need to add the configuration to the manager, however the correct configuration example should be:

<agent-upgrade>
<chunk_size>16384</chunk_size>
<wpk_repository>packages.wazuh.com/4.x/wpk/</wpk_repository>
<max_threads>1/max_threads>
</agent-upgrade>

I noticed that the sample configuration of the agent-upgrade section had the outdated URL you used, so I have made a PR to the documentation to address this issue.

Thanks for bringing that to our attention.

I also noticed a typo on the script I provided before so I am attaching it again.

Best Regards,

Juan Carlos Tello