Wazuh agent limits?

863 views
Skip to first unread message

Brian Minor

unread,
Feb 24, 2020, 1:06:58 PM2/24/20
to Wazuh mailing list
I am running into a new issue on Wazuh agent v3.11-3.1.  

1.  When I install an agent using the generated script on Windows, the agents seem to be incrementing the ID# and I see the agent install.
 (eg:  Invoke-WebRequest -Uri https://packages.wazuh.com/3.x/windows/wazuh-agent-3.11.3-1.msi -OutFile wazuh-agent.msi; wazuh-agent.msi /q ADDRESS='10.7.100.20' AUTHD_SERVER='10.7.100.20' )
  
2.  I see the DOS window flash up on the Windows machine and I see the agent added successfully in Kibana/Wazuh App.  

3.  When I go to run the same script on another workstation, the ID# increments but the Agent from the previous install disappears.

The "Active Agents" count is still 6.  I have no disconnected agents and no agents that have failed to connect.  But I should have 8 agents and not 6.  The agents previously connected fine but disappear out of the system as soon as I run the powershell script again on another workstation.  This is on Windows 10 Pro.

This seemed to work fine for me up to 6 agents.

Is there some solution to this or has anyone seen this issue?  I ran the previous version (this is a clean install on CentOS) but this bug seems new with v3.11.  I previously had over 50 agents connected in my environment.

Daria Kempny

unread,
Feb 24, 2020, 3:28:13 PM2/24/20
to Wazuh mailing list
Hello Brian Minor,

If your agent successfully registers but disappears after another agent is being register you can try to register the agents with IP address any.

By default, the manager attaches an agent to the visible IP of the agent. If the manager or the agents are, for example, behind a NAT, the agent should be registered with IP Address any. That way any works as 0.0.0.0/0.

To set up this behavior for all subsequent registrations in the manager's configuration /var/ossec/etc/ossec.conf file set the <use_source_ip> to no:

<ossec_config>
  ...
  <auth>
    ...
    <use_source_ip>no</use_source_ip>
    ...
  </auth>
  ...
</ossec_config>


Restart the manager for the changes to take effect:
# systemctl restart wazuh-manager

If the registered machines have the same hostname, the agent name has to be specified manually.

You can read more about Deployment variables for Windows on: https://documentation.wazuh.com/3.11/installation-guide/installing-wazuh-agent/deployment_variables/deployment_variables_windows.html#deployment-variables-for-windows

We hope that this information helps. If you have any further questions regarding this issue please ask and we will help.


Best regards,
Daria Kempny

Brian Minor

unread,
Feb 24, 2020, 4:32:57 PM2/24/20
to Daria Kempny, Wazuh mailing list
Thank you for the reply.  The agents are not under NAT but they are on different network segments from the Wazuh server.  I will change the ossec-conf to "any" and see if that helps.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5876f384-bdf9-4da4-bc66-0d6bd54a6419%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages