Message from '192.168.0.1' not allowed. Cannot find the ID of the agent
89 views
Skip to first unread message
David Martinez
Dec 2, 2024, 4:23:36 AM12/2/24
to Wazuh | Mailing List
In my ossec.log file there is a message that repeats in a loop:
Message from '192.168.0.1' not allowed. Cannot find the ID of the agent
I have used the command "/var/ossec/bin/agent_control -l | grep Disconnected", but there is no asset that has the specified ip.
Any ideas?
hasitha.u...@wazuh.com
Dec 2, 2024, 5:15:43 AM12/2/24
to Wazuh | Mailing List
Hi
David,
This log message appears because Wazuh Manager, remoted daemon, receives a package coming from an IP address that is not allowed. As this IP isn't recognized, the ID of the agent can't be obtained to decrypt the message, this is what the message refers to.
Usually, this happens when an agent is registered with a defined IP and for some reason, it changes it (this has happened a lot during the new home office modality on some companies).
Otherwise this can happen you removed those agent and they are trying to reconnect with manager, which cannot recognized them.
Note that If the use_source_ip option of the manager wasn't no when the agents were registered, the managers will not allow them to connect, showing a message like this in the ossec.log file:
Message from '192.168.0.1' not allowed. Cannot find the ID of the agent
And this IP that is in the log, is it part of the <allowed-ips> list ? if you are configured the syslog on wazuh manager.
nano /var/ossec/etc/ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.8.0/24</allowed-ips>
<local_ip>192.168.8.25</local_ip>
</remote>
In this case, it would be best to re-register the agents after changing this option in the ossec.conf of the master node so it looks like this: <use_source_ip>no</use_source_ip>.
systemctl restart wazuh-manager
As I can your agents IP taking as any according to your disconnected agents.
Therefore first try restart those agents manually and check again.
Linux: systemctl restart wazuh-agent
Windows (PowerShell): Restart-Service -Name wazuh
macOS: /Library/Ossec/bin/wazuh-control restart
This will be reconnected if there is no connectivity issue or configuration issue.
Regards,
Hasitha Upekshitha
This log message appears because Wazuh Manager, remoted daemon, receives a package coming from an IP address that is not allowed. As this IP isn't recognized, the ID of the agent can't be obtained to decrypt the message, this is what the message refers to.
Usually, this happens when an agent is registered with a defined IP and for some reason, it changes it (this has happened a lot during the new home office modality on some companies).
Otherwise this can happen you removed those agent and they are trying to reconnect with manager, which cannot recognized them.
Note that If the use_source_ip option of the manager wasn't no when the agents were registered, the managers will not allow them to connect, showing a message like this in the ossec.log file:
Message from '192.168.0.1' not allowed. Cannot find the ID of the agent
nano /var/ossec/etc/ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.8.0/24</allowed-ips>
<local_ip>192.168.8.25</local_ip>
</remote>
In this case, it would be best to re-register the agents after changing this option in the ossec.conf of the master node so it looks like this: <use_source_ip>no</use_source_ip>.
systemctl restart wazuh-manager
As I can your agents IP taking as any according to your disconnected agents.
Therefore first try restart those agents manually and check again.
Linux: systemctl restart wazuh-agent
Windows (PowerShell): Restart-Service -Name wazuh
macOS: /Library/Ossec/bin/wazuh-control restart
This will be reconnected if there is no connectivity issue or configuration issue.
Regards,
Hasitha Upekshitha
David Martinez
Dec 2, 2024, 12:01:32 PM12/2/24
to Wazuh | Mailing List
I have the use_source_ip option set to no and allowed-ips is configured for the 10.xx.xx.xx network, since I do not use the 192.168 network range.
hasitha.u...@wazuh.com
Dec 2, 2024, 10:59:37 PM12/2/24
to Wazuh | Mailing List
Hi
David,
Let me know if the issue is still ongoing or issue gonna be resolved.
Regards,
Hasitha Upekshitha
Let me know if the issue is still ongoing or issue gonna be resolved.
Regards,
Hasitha Upekshitha
David Martinez
Dec 3, 2024, 2:58:55 AM12/3/24
to Wazuh | Mailing List
Hello,
Yes, that message keeps appearing in the log
hasitha.u...@wazuh.com
Dec 10, 2024, 2:49:21 AM12/10/24
to Wazuh | Mailing List
Hi
David,
It would be great if you could share the both agent and manager side logs to check further.
Windows agent: C:\Program Files (x86)\ossec-agent\ossec.log
Linux agent: cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
It would be great if you could share the both agent and manager side logs to check further.
Windows agent: C:\Program Files (x86)\ossec-agent\ossec.log
Linux agent: cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Manager:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Let me know the update on these to check further.
Regards,
Hasitha Upekshitha
Let me know the update on these to check further.
Regards,
Hasitha Upekshitha
David Martinez
Dec 10, 2024, 4:21:18 AM12/10/24
to Wazuh | Mailing List
The problem is that there is no agent with that IP trying to connect. In fact, we don't use that network range, we use 10.XX, so I can't show you the log of the agent in question.
hasitha.u...@wazuh.com
Dec 11, 2024, 2:42:25 AM12/11/24
to Wazuh | Mailing List
Hi
David,
Please share the full ossec.log file from the Wazuh manager.
Please share the full ossec.log file from the Wazuh manager.
/var/ossec/logs/ossec.log
Then I will check further.
Regards,
Hasitha Upekshitha
Then I will check further.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages