getting invalid ID for source IP
1,672 views
Skip to first unread message
Miki Alkalay
Jun 3, 2019, 5:05:20 AM6/3/19
to Wazuh mailing list
Hi,
my server is yelling about invalid ID... for source ip.
in the client.key the ID is not shown.
not even when i'm using the manage_agent command...
Please advice
Miki
David Vidriales
Jun 3, 2019, 6:28:52 AM6/3/19
to Wazuh mailing list
Hi Miki,
This is probably because an unregistered agent is trying to connect to your server. I've reproduced this the following way:
1) Register an agent with 'manage_agents' with 'any' as IP.
2) Connect the agent to the manager.
3) Delete the agent with 'manage_agents'.
4) The agent will try to send messages to the manager, but it won't be connected to the manager anymore. The server will display the message you mentioned.
If this is your case you should re-register your agent and re-connect it to the manager. If this is not your case, please let us know (providing more details about your error) and we will help you in any way we can.
Best regards,
David
Miki Alkalay
Jun 3, 2019, 8:51:22 AM6/3/19
to David Vidriales, Wazuh mailing list
Hi,
Tnx for your reply,
the IP is not even in my subnet.
don't know from where it came.
can i delete the agent, i can't even see the agent ID on the DB manage_agent and on the client.key
BR
Miki
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a1cde91c-a9e1-462c-9b92-dbef48b7af84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Best Regards
Miki Alkalay
Mobile: 972-54-6496293
David Vidriales
Jun 3, 2019, 10:19:51 AM6/3/19
to Wazuh mailing list
Hi again Miki,
This still sounds like an unregistered agent is trying to connect to your server, if you don't expect this IP to get connected to your server, could it be that you have an agent installed and running somewhere?
It could be a VM or Docker or something like that (which could explain that the IP is not in your subnet).
If that's the case it's pretty normal that you can't see the agent when listing the registered agents in your manager (as well as the client.keys). That's precisely why that's happening.
If the manager is receiving messages from an agent somewhere it'll check the client.keys file to see if the messages are from a "known" agent. When the manager realizes the agent is not registered it displays the warning message.
That's why my guess is that you (or someone in your net) have an agent installed and running somewhere configured to send messages to your server IP.
I hope this helps. If you can't find the problem, please don't hesitate to contact us again.
Regards,
David
On Monday, June 3, 2019 at 2:51:22 PM UTC+2, Miki Alkalay wrote:
Hi,
Tnx for your reply,the IP is not even in my subnet.don't know from where it came.can i delete the agent, i can't even see the agent ID on the DB manage_agent and on the client.keyBRMiki
On Mon, Jun 3, 2019 at 1:28 PM David Vidriales <> wrote:
--Hi Miki,This is probably because an unregistered agent is trying to connect to your server. I've reproduced this the following way:1) Register an agent with 'manage_agents' with 'any' as IP.2) Connect the agent to the manager.3) Delete the agent with 'manage_agents'.4) The agent will try to send messages to the manager, but it won't be connected to the manager anymore. The server will display the message you mentioned.If this is your case you should re-register your agent and re-connect it to the manager. If this is not your case, please let us know (providing more details about your error) and we will help you in any way we can.Best regards,David
On Monday, June 3, 2019 at 11:05:20 AM UTC+2, Miki Alkalay wrote:Hi,my server is yelling about invalid ID... for source ip.in the client.key the ID is not shown.not even when i'm using the manage_agent command...Please adviceMiki
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a1cde91c-a9e1-462c-9b92-dbef48b7af84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages