Agent-authd Duplicated IP

[josip....@gmail.com]

Hi,

I'm trying to register an agent using agent-authd  (Wazuh v3.6.1). It worked few weeks ago.

[ro...@agent.domain ~]# /var/ossec/bin/agent-auth -i -m <manager ip> -P <password>

2018/11/14 14:33:05 agent-auth: INFO: Started (pid: 19466).

INFO: Connected to <manager ip>:1515

INFO: Using agent name as: agent.domain

INFO: Send request to manager. Waiting for reply.

ERROR: Duplicated IP: <agent ip> (from manager)

ERROR: Unable to add agent. (from manager)

ERROR: Unable to create key. Either wrong password or connection not accepted by the manager.

INFO: Connection closed.

Naturally I tried searching for an agent on the manager, but it's not present there.

 [ro...@server.domain ossec]# bin/manage_agents -l | grep <agent ip>

            <Nothing>

 

            [ro...@server.domain ossec]# grep <agent ip> /var/ossec/etc/client.keys

            <Nothing>

Is there anywhere else I can find it?

Also, I'm seeing  the agent is running but the manager is not accepting it's events:

2018/11/14 16:16:14 ossec-remoted: WARNING: (1213): Message from '<agent ip>' not allowed.

 

   

 

        

[Pedro Sánchez]

Hi Josip,

As you can notice, the Manager is rejecting the agent key request due to there is already an agent registered with the same IP address.

I saw you are actually grepping for that agent in manage_agents or even client.keys output and you have nothing.

Make sure you are not re-registering the agent several times in a row, that could cause inconsistencies between what Manager has in memory and what it is written on client.keys file, probably if you like to re-register agents on the daily basis, you can enable the force_insert flag (manager side), it will allow re-registration of the same agent with the same IP address, generating every time a new key and ID.

<use_source_ip>yes</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>

I am thinking option "-i" could be messing around as well.

Could you share your ossec-authd configuration? Maybe help us to know what is happening.

Regards,

Pedro.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d2fec1a3-31fc-48d8-94eb-d790f6beb27a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.