Wazuh Weird-Ness
1,067 views
Skip to first unread message
Buddha Man
Sep 11, 2019, 2:47:02 PM9/11/19
to Wazuh mailing list
I am seeing an issue where when I add an agent using agent-auth on the command line. It functions for a short period of time then the agent ID get's purged from client.keys.
In the ossec.log on the server there are a number of:
ossec-remoted: WARNING: (1408): Invalid ID 1087 for the source ip: '<IP redacted>(name 'unknown')
entries. I'm thinking these are the end-points who initially could connect but then had their agent ID's purged.
Any idea where to search for the cause of this weird behavior?
Thanks!
Buddha
Buddha Man
Sep 11, 2019, 5:26:15 PM9/11/19
to Wazuh mailing list
I'm noting when I try to add another agent using agent-auth, the previous one gets deleted. Is this a config file setting somewhere?
Jose Luis Ruiz
Sep 11, 2019, 5:56:12 PM9/11/19
to Buddha Man, Wazuh mailing list
HI Buddha,
that happens if the IP or the agent name is the same, you have parameter in the auth block in the manager to specify that option.
https://documentation.wazuh.com/3.9/user-manual/reference/ossec-conf/auth.html?highlight=auth#force-insert
@jlruizmlg
On Sep 11, 2019, at 2:26 PM, Buddha Man <namobud...@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd3f3ea7-9d03-43ef-96c2-a3281ec64544%40googlegroups.com.
Buddha Man
Sep 12, 2019, 10:51:04 AM9/12/19
to Wazuh mailing list
Thanks Jose.
I turned off force_insert and ran the command I've been using on end-points:
agent-auth -m <server_ip> -I any
This command returns that there's a duplicate IP and it's unable to add the agent. I assume this is what was going on in the background before. I'm thinking the agent is getting added, the server detects a duplicate IP and removes the just added agent.
It's really weird that it just started exhibiting this behavior about 2 days ago. Is there a way to purge all the duplicate IP's with a single command. I'm also wondering why the force_insert doesn't seem to be working (or instead of removing the old agent/duplicate IP which doesn't even seem to have a key in client.keys, it's removing the just added agent (this seems to occur within about 5 minutes of agent_auth).
So I still am having issues using agent_auth. Any ideas are appreciated.
Thanks!
On Wednesday, September 11, 2019 at 5:56:12 PM UTC-4, Jose Luis Ruiz wrote:
HI Buddha,that happens if the IP or the agent name is the same, you have parameter in the auth block in the manager to specify that option.
https://documentation.wazuh.com/3.9/user-manual/reference/ossec-conf/auth.html?highlight=auth#force-insert@jlruizmlgOn Sep 11, 2019, at 2:26 PM, Buddha Man <namobud...@gmail.com> wrote:
I'm noting when I try to add another agent using agent-auth, the previous one gets deleted. Is this a config file setting somewhere?--
On Wednesday, September 11, 2019 at 2:47:02 PM UTC-4, Buddha Man wrote:I am seeing an issue where when I add an agent using agent-auth on the command line. It functions for a short period of time then the agent ID get's purged from client.keys.In the ossec.log on the server there are a number of:ossec-remoted: WARNING: (1408): Invalid ID 1087 for the source ip: '<IP redacted>(name 'unknown')entries. I'm thinking these are the end-points who initially could connect but then had their agent ID's purged.Any idea where to search for the cause of this weird behavior?Thanks!Buddha
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Buddha Man
Sep 12, 2019, 11:45:29 AM9/12/19
to Wazuh mailing list
A further update on adding a new agent using agent-auth removes the last added agent is. When I manually add an agent using the manage_agents is seems to stay in the client keys file. So this appears to be an agent_auth related bug?
Juan Pablo Saez
Sep 27, 2019, 6:14:39 AM9/27/19
to Wazuh mailing list
Hi Buddha,
We have just discovered a bug causing successive registrations with the "-I any" option overwrite each other.
As a workaround, to have your machines correctly registered, you should follow the further steps:
- Be sure that
<use_source_ip>no</use_source_ip>is set tono - Use agent-auth without
anyoption:/var/ossec/bin/agent-auth -m <manager IP>. If you are registering machines that have exactly the same hostname you have to manually specify an agent name using the -A option:/var/ossec/bin/agent-auth -m <manager IP> -A <hostname> - This should be enough to register your agents.
About the bug, as soon as our workflow allows us to do so, we're going to fix it. You can track the progress in this issue.
Please, let me know if it works. Best regards,
JP Sáez
Reply all
Reply to author
Forward
0 new messages