Reusing Agent IDs after removing
Carlos Lopez
Due to some reorgranisatioon in our Wazuh infrastructure, I have removed some initial agents and setup another time with different agent ID …. But when I try to reuse the previously used agent ID, manager returns me an error that this action is not possible, which is not true because they are free.
Initial agents was in “Never connected” state, therefore I don’t expect problems with FIM for example.
Is it not possible to reuse free Agent ID’s?
Best regards,
C. L. Martinez
Sandra Ocando
To reuse an agent's ID you may use the add agent full endpoint where you may force to reuse the ID of a disconnected agent. For example:
POST /agents/insert
{
"name": "Curiosity",
"ip": "192.168.42.14",
"id": "003",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}
openssl rand -hex 32For reference, here's the documentation for this API endpoint: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent
The resulting authentication key must be imported to the agent using manage_agents -i, notice that this key is different from the one introduced in the agents/insert endpoint as this one includes all the additional information about the agent (name, IP, ID). Make sure that the agent is stopped when introducing the key and don't forget to start it afterwards, for more information: https://documentation.wazuh.com/current/user-manual/reference/tools/manage_agents.html
/var/ossec/bin/manage_agents -i MDAzIEN1cmlvc2l0eSAxOTIuMTY4LjQyLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ=
Best regards,
Sandra.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/C5EC8239-EA39-42C1-A3FB-2788FBE59CD1%40outlook.com.
Carlos Lopez
****************************************
* Wazuh v4.1.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: srvff78.mydom.com
* The IP Address of the new agent: any
* An ID for the new agent[003]: 014
** ID '014' already present. They must be unique.
ID 014 was used previosuly for antother server ...
________________________________________
From: Sandra Ocando <sandra...@wazuh.com>
Sent: 07 March 2021 21:13
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: Reusing Agent IDs after removing
Hi Carlos,
To reuse an agent's ID you may use the add agent full endpoint where you may force to reuse the ID of a disconnected agent. For example:
POST /agents/insert
{
"name": "Curiosity",
"ip": "192.168.42.14",
"id": "003",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}
To generate the key you may use, for example, the following command: openssl rand -hex 32
For reference, here's the documentation for this API endpoint: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent
The resulting authentication key must be imported to the agent using manage_agents -i, notice that this key is different from the one introduced in the agents/insert endpoint as this one includes all the additional information about the agent (name, IP, ID). Make sure that the agent is stopped when introducing the key and don't forget to start it afterwards, for more information: https://documentation.wazuh.com/current/user-manual/reference/tools/manage_agents.html
/var/ossec/bin/manage_agents -i MDAzIEN1cmlvc2l0eSAxOTIuMTY4LjQyLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ=
Best regards,
Sandra.
On Sat, Mar 6, 2021 at 6:36 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi all,
Due to some reorgranisatioon in our Wazuh infrastructure, I have removed some initial agents and setup another time with different agent ID …. But when I try to reuse the previously used agent ID, manager returns me an error that this action is not possible, which is not true because they are free.
Initial agents was in “Never connected” state, therefore I don’t expect problems with FIM for example.
Is it not possible to reuse free Agent ID’s?
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>.
Sandra Ocando
I see that you are using manage_agents, this utility does not allow you to reuse an agent ID. To do so, you can use the API endpoint I sent you in my previous email, this endpoint allows you to use the option
force_time that gives you the option to reuse an agent ID if said agent has been offline for a given number of seconds (1s in the example I sent you).The previous message includes instructions on how to do it using Wazuh Kibana plugin Dev Tools (from the web interface). In this message I'll include instructions on how to do from the manager:
1. [manager] Get your API authentication token:
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
2. [manager] Use
/agents/insert to obtain the key for the new agent with the selected ID (the one you want to reuse):curl -k -X POST "https://localhost:55000/agents/insert" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
"name": "srvff78.mydom.com",
"ip": "any",
"id": "014",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}'
openssl rand -hex 32Output:
{"data": {"id": "014", "key": "MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0"}, "error": 0}3.- [agent] Add the new key (the one given in the output) to the Wazuh agent:
systemctl stop wazuh-agent
/var/ossec/bin/manage_agents -i MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0
systemctl start wazuh-agent
Best regards,
Sandra.
Carlos Lopez
Same error:
{"title": "Bad Request", "detail": "There is an agent with the same ID: 014", "remediation": "Please choose another ID", "dapi_errors": {"wazuh-master.mydom.com": {"error": "There is an agent with the same ID: 014"}}, "error": 1708}
________________________________________
From: Sandra Ocando <sandra...@wazuh.com>
Sent: 08 March 2021 11:26
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: Reusing Agent IDs after removing
Hello Carlos,
I see that you are using manage_agents, this utility does not allow you to reuse an agent ID. To do so, you can use the API endpoint I sent you in my previous email, this endpoint allows you to use the option force_time that gives you the option to reuse an agent ID if said agent has been offline for a given number of seconds (1s in the example I sent you).
The previous message includes instructions on how to do it using Wazuh Kibana plugin Dev Tools (from the web interface). In this message I'll include instructions on how to do from the manager:
1. [manager] Get your API authentication token:
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
2. [manager] Use /agents/insert to obtain the key for the new agent with the selected ID (the one you want to reuse):
curl -k -X POST "https://localhost:55000/agents/insert" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
"name": "srvff78.mydom.com<http://srvff78.mydom.com>",
"ip": "any",
"id": "014",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}'
To generate the input key you may use, for example, the following command: openssl rand -hex 32
Output:
{"data": {"id": "014", "key": "MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0"}, "error": 0}
3.- [agent] Add the new key (the one given in the output) to the Wazuh agent:
systemctl stop wazuh-agent
/var/ossec/bin/manage_agents -i MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0
systemctl start wazuh-agent
Hope you find this information useful, do not hesitate to ask if you have more doubts.
Best regards,
Sandra.
On Mon, Mar 8, 2021 at 8:35 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Thanks Sandra, but I am referring when I try to setup another agent with the same ID. For example:
****************************************
* Wazuh v4.1.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: srvff78.mydom.com<http://srvff78.mydom.com>
* The IP Address of the new agent: any
* An ID for the new agent[003]: 014
** ID '014' already present. They must be unique.
ID 014 was used previosuly for antother server ...
________________________________________
From: Sandra Ocando <sandra...@wazuh.com<mailto:sandra...@wazuh.com>>
Sent: 07 March 2021 21:13
To: Carlos Lopez
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>
Subject: Re: Reusing Agent IDs after removing
Hi Carlos,
To reuse an agent's ID you may use the add agent full endpoint where you may force to reuse the ID of a disconnected agent. For example:
POST /agents/insert
{
"name": "Curiosity",
"ip": "192.168.42.14",
"id": "003",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}
To generate the key you may use, for example, the following command: openssl rand -hex 32
For reference, here's the documentation for this API endpoint: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent
The resulting authentication key must be imported to the agent using manage_agents -i, notice that this key is different from the one introduced in the agents/insert endpoint as this one includes all the additional information about the agent (name, IP, ID). Make sure that the agent is stopped when introducing the key and don't forget to start it afterwards, for more information: https://documentation.wazuh.com/current/user-manual/reference/tools/manage_agents.html
/var/ossec/bin/manage_agents -i MDAzIEN1cmlvc2l0eSAxOTIuMTY4LjQyLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ=
Best regards,
Sandra.
On Sat, Mar 6, 2021 at 6:36 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Hi all,
Due to some reorgranisatioon in our Wazuh infrastructure, I have removed some initial agents and setup another time with different agent ID …. But when I try to reuse the previously used agent ID, manager returns me an error that this action is not possible, which is not true because they are free.
Initial agents was in “Never connected” state, therefore I don’t expect problems with FIM for example.
Is it not possible to reuse free Agent ID’s?
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>>.
Sandra Ocando
Carlos Lopez
root@wazuh-master:~# curl -k -X POST "https://localhost:55000/agents/insert" -H "Authorization: Bearer $TOKEN" -H 'Content-Type:application/json' -d'
{
"name": "srvff78.mydom.com",
"ip": "any",
"id": "014",
"key": "b9871d2746580b783de4f4862ffb81e8d3bd46fe51f7a6585b448304538576fa",
"force_time":1
}'
{"title": "Bad Request", "detail": "There is an agent with the same ID: 014", "remediation": "Please choose another ID", "dapi_errors": {"wazuh-master.mydom.com": {"error": "There is an agent with the same ID: 014"}}, "error": 1708}
________________________________________
From: Sandra Ocando <sandra...@wazuh.com>
Sent: 08 March 2021 12:02
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: Reusing Agent IDs after removing
Hi Carlos,
Could you please share your API call? Does it include all the fields in the example (name, id, ip, key and force_time)?
On Mon, Mar 8, 2021 at 11:53 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Hi Sandra,
Same error:
{"title": "Bad Request", "detail": "There is an agent with the same ID: 014", "remediation": "Please choose another ID", "dapi_errors": {"wazuh-master.mydom.com<http://wazuh-master.mydom.com>": {"error": "There is an agent with the same ID: 014"}}, "error": 1708}
________________________________________
From: Sandra Ocando <sandra...@wazuh.com<mailto:sandra...@wazuh.com>>
Sent: 08 March 2021 11:26
To: Carlos Lopez
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>
Subject: Re: Reusing Agent IDs after removing
Hello Carlos,
I see that you are using manage_agents, this utility does not allow you to reuse an agent ID. To do so, you can use the API endpoint I sent you in my previous email, this endpoint allows you to use the option force_time that gives you the option to reuse an agent ID if said agent has been offline for a given number of seconds (1s in the example I sent you).
The previous message includes instructions on how to do it using Wazuh Kibana plugin Dev Tools (from the web interface). In this message I'll include instructions on how to do from the manager:
1. [manager] Get your API authentication token:
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
2. [manager] Use /agents/insert to obtain the key for the new agent with the selected ID (the one you want to reuse):
curl -k -X POST "https://localhost:55000/agents/insert" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d'
{
"name": "srvff78.mydom.com<http://srvff78.mydom.com><http://srvff78.mydom.com>",
"ip": "any",
"id": "014",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}'
To generate the input key you may use, for example, the following command: openssl rand -hex 32
Output:
{"data": {"id": "014", "key": "MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0"}, "error": 0}
3.- [agent] Add the new key (the one given in the output) to the Wazuh agent:
systemctl stop wazuh-agent
/var/ossec/bin/manage_agents -i MDE0IHNydmZmNzgubXlkb20uY29tIGFueSAxYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaTY0
systemctl start wazuh-agent
Hope you find this information useful, do not hesitate to ask if you have more doubts.
Best regards,
Sandra.
On Mon, Mar 8, 2021 at 8:35 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>> wrote:
Thanks Sandra, but I am referring when I try to setup another agent with the same ID. For example:
****************************************
* Wazuh v4.1.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: srvff78.mydom.com<http://srvff78.mydom.com><http://srvff78.mydom.com>
* The IP Address of the new agent: any
* An ID for the new agent[003]: 014
** ID '014' already present. They must be unique.
ID 014 was used previosuly for antother server ...
________________________________________
From: Sandra Ocando <sandra...@wazuh.com<mailto:sandra...@wazuh.com><mailto:sandra...@wazuh.com<mailto:sandra...@wazuh.com>>>
Sent: 07 March 2021 21:13
To: Carlos Lopez
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>>
Subject: Re: Reusing Agent IDs after removing
Hi Carlos,
To reuse an agent's ID you may use the add agent full endpoint where you may force to reuse the ID of a disconnected agent. For example:
POST /agents/insert
{
"name": "Curiosity",
"ip": "192.168.42.14",
"id": "003",
"key": "1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64",
"force_time":1
}
To generate the key you may use, for example, the following command: openssl rand -hex 32
For reference, here's the documentation for this API endpoint: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.insert_agent
The resulting authentication key must be imported to the agent using manage_agents -i, notice that this key is different from the one introduced in the agents/insert endpoint as this one includes all the additional information about the agent (name, IP, ID). Make sure that the agent is stopped when introducing the key and don't forget to start it afterwards, for more information: https://documentation.wazuh.com/current/user-manual/reference/tools/manage_agents.html
/var/ossec/bin/manage_agents -i MDAzIEN1cmlvc2l0eSAxOTIuMTY4LjQyLjE0IDFhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5emFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6YWJjZGVmZ2hpNjQ=
Best regards,
Sandra.
On Sat, Mar 6, 2021 at 6:36 PM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>><mailto:clo...@outlook.com<mailto:clo...@outlook.com><mailto:clo...@outlook.com<mailto:clo...@outlook.com>>>> wrote:
Hi all,
Due to some reorgranisatioon in our Wazuh infrastructure, I have removed some initial agents and setup another time with different agent ID …. But when I try to reuse the previously used agent ID, manager returns me an error that this action is not possible, which is not true because they are free.
Initial agents was in “Never connected” state, therefore I don’t expect problems with FIM for example.
Is it not possible to reuse free Agent ID’s?
Best regards,
C. L. Martinez
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com>><mailto:wazuh%2Bunsu...@googlegroups.com<mailto:wazuh%252Buns...@googlegroups.com><mailto:wazuh%252Buns...@googlegroups.com<mailto:wazuh%25252Bun...@googlegroups.com>>>.
Sandra Ocando
I was able to reproduce your issue by disabling
ossec-auth in the configuration and I reported this unexpected behavior to our development team (https://github.com/wazuh/wazuh/issues/7800). To solve this, you can momentarily enable ossec-auth and use the agents/insert API endpoint to reuse your old agents' IDs.Edit
/var/ossec/etc/ossec.conf and enable ossec-auth:<!-- Configuration for ossec-authd -->
<auth>
<disabled>no</disabled>
systemctl restart wazuh-manager so the change can take effect. Now you may use the API endpoint agents/insert to reuse the old agents' IDs.Please let me know if this solves your issue.
Best regards,
Sandra.