Filter Agents by IP
199 views
Skip to first unread message
Khul Sat
Feb 15, 2023, 11:43:36 PM2/15/23
to Wazuh mailing list
Hello.. Greetings!
As of now, I have been using agent_control -l to list the agents. I then use grep <agent-name> which I need to find/search. Following is the output I get:
agent_control -l |grep agent-101 ID: 101, Name: agent-101, IP: any, ActiveHere, in front of IP, it says “any”. Want to know if there is any way to search/filter the agents by using the IP address(s).
In my environment, hostnames get changed and hence I can not rely on agent-name or the hostname. Referring IP address is kind of a sure-shot option.
Please advise,
Thanks. KS
Jorge Eduardo Molas
Feb 16, 2023, 7:51:46 AM2/16/23
to Wazuh mailing list
Hello Khul, I hope you are doing great.
Yes, as you've commented there is an issue reported for this.
You could work around using the cluster_control command:
I hope this is helpful to you. Let me know.
Yes, as you've commented there is an issue reported for this.
You could work around using the cluster_control command:
sh-4.2# ./cluster_control -a -fs active | grep 192.168.1.52
256 Agent_1 192.168.1.52 active Wazuh v3.12.3 wazuh-manager-worker-0
I hope this is helpful to you. Let me know.
Regards!.
Andres Micalizzi
Feb 16, 2023, 7:52:05 AM2/16/23
to Wazuh mailing list
Hi Khul Sat,
Thanks for using Wazuh.
The agent_control tool is showing any in the IP because it was not set from the agent when it registered to the manager did not pass the IP, so it is automatically set as needed by the manager. To fix this, what you need to do is:
As you can see, the testAgent, shows the IP that was passed in.
Agent control does not allow filtering by IP, you can filter by ID, but having the IPs and Names on display will allow you to easily identify each agent. If you really want to filter the response, uou could grep the output of agent_control so it only prints the lines with the IPs you are looking for. Example: # /var/ossec/bin/agent_control -l | grep 10.0.10.2
ID: 002, Name: testAgent, IP: 10.0.10.2, Never connected
I hope this clears your question.
Cheers
Thanks for using Wazuh.
The agent_control tool is showing any in the IP because it was not set from the agent when it registered to the manager did not pass the IP, so it is automatically set as needed by the manager. To fix this, what you need to do is:
- Re-register your agent's using the agent_auth tool with: # /var/ossec/bin/agent-auth -m <Manager-IP> -A <Agent-Name> -I <Agent-IP>
Example: # /var/ossec/bin/agent-auth -m 192.168.56.10 -A testAgent -I 10.0.10.2 - After registering this way, you will see the IP in the agent's information using agent_control
Example: # /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: c3 (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: WIN-JLGVA4CR4VI, IP: any, Disconnected
ID: 002, Name: testAgent, IP: 10.0.10.2, Never connected
As you can see, the testAgent, shows the IP that was passed in.
Agent control does not allow filtering by IP, you can filter by ID, but having the IPs and Names on display will allow you to easily identify each agent. If you really want to filter the response, uou could grep the output of agent_control so it only prints the lines with the IPs you are looking for. Example: # /var/ossec/bin/agent_control -l | grep 10.0.10.2
ID: 002, Name: testAgent, IP: 10.0.10.2, Never connected
I hope this clears your question.
Cheers
On Thursday, February 16, 2023 at 1:43:36 AM UTC-3 Khul Sat wrote:
Khul Sat
Feb 20, 2023, 6:54:06 AM2/20/23
to Wazuh mailing list
Thank you so much for your help!
I shall certainly get it checked & implemented if feasible.
Regards, KS
Reply all
Reply to author
Forward
0 new messages