Agent enrollment Error

229 views
Skip to first unread message

Satwika sree

unread,
Nov 7, 2024, 3:10:47 AM11/7/24
to Wazuh | Mailing List

Hi Team,

This is an emergency!

We have installed the Wazuh agent on a Windows system, but we are encountering an error. Below are the log details:

2024/11/06 18:10:34 wazuh-agent: INFO: Requesting a key from server: 0.0.0.0

2024/11/06 18:10:34 wazuh-agent: INFO: No authentication password provided
2024/11/06 18:10:34 wazuh-agent: INFO: Using agent name as: ADCB
2024/11/06 18:10:34 wazuh-agent: INFO: Waiting for server reply
2024/11/06 18:10:34 wazuh-agent: ERROR: SSL read (unable to receive message)
2024/11/06 18:10:34 wazuh-agent: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!


I also tried a manual installation, but the same error persists.

Could you please pls pls provide a solution for this issue as early as possible?



Stuti Gupta

unread,
Nov 7, 2024, 4:14:16 AM11/7/24
to Wazuh | Mailing List
Hi Sachin!
Based on your logs, I would understand that the manager and the agent are checking if they can establish a connection and they fail because there is a mismatch between the agent's id/name and the key. The error SSL read (unable to receive message) in the Wazuh agent logs typically points to issues with SSL/TLS communication between the agent and the Wazuh manager. This can occur if there is a mismatch in the SSL certificates or issues with the certificate verification setup

To fix this please check the following
Make sure The manager IP address is correct in ossec.conf of side like:
<server>
      <address>192.168.55.56</address>
   </server>

After this, please ensure that the client key on the agent matches the key in the manager's client.keys file. You can typically find the key file at: `/var/ossec/etc/client.keys` on both the manager and the agent. In case it doesnt than 
Run this command at the wazuh-manager server, to extra the key
/var/ossec/bin/manage_agents -e <agent id>
On the agent side, import the key by running:
/var/ossec/bin/manage_agents -i <key>
You can see this documentation as a guide: https://documentation.wazuh.com/current/development/client-keys.html.

In case this didnt reolsve the issue the use the Wazuh agent identity verification method which uses SSL certificates to verify that a Wazuh agent is authorized to enroll in the Wazuh manager.
Manger side:
1. Run the following command on the Wazuh server to use Wazuh as the certificate authority and generate  rootCA.key and rootCA.pem file with higher validity (365 days):
openssl req -x509 -days 365 -new -nodes -newkey rsa:4096 -keyout rootCA.key -out rootCA.pem -batch -subj "/C=US/ST=CA/O=Wazuh"
2. Generate a certificate signing request (CSR) for the Wazuh agent on the Wazuh server:
openssl req -new -nodes -newkey rsa:4096 -keyout sslagent.key -out sslagent.csr -batch
3. Sign the generated agent CSR using the CA keys and generate the sslagent.cert certificate:
openssl x509 -req -days 365 -in sslagent.csr -CA rootCA.pem -CAkey rootCA.key -out sslagent.cert -CAcreateserial
4. Then copy the rootCA.pem file to the manager's /var/ossec/etc/ directory and configured that as the ssl_agent_ca in the manager's ossec.conf file. Uncomment the <auth><ssl_agent_ca> section and specify the path to the rootCA.pem file on the Wazuh manager.
<auth>
   ...
   <ssl_agent_ca>/var/ossec/etc/rootCA.pem</ssl_agent_ca>
</auth>
5. Restarted the wazuh-manager to make the change effective.

Agent side:
1.Copy the  sslagent.cert and sslagent.key to the agent and used that as enrollment certificate and key. 
2. Using an administrator account, modify the Wazuh agent configuration file located at C:\Program Files (x86)\ossec-agent\ossec.conf and include the following:
Wazuh manager IP address or FQDN in the <client><server><address> section.
The local path to the agent certificate and key are in the <client><enrollment> section.
<client>
   <server>
      <address>WAZUH_MANAGER_IP</address>
   </server>
   <enrollment>
      <agent_certificate_path>/<PATH_TO>/sslagent.cert</agent_certificate_path>
      <agent_key_path>/<PATH_TO>/sslagent.key</agent_key_path>
   </enrollment>
</client>
Restart the Wazuh agent to make the changes effective. # Restart-Service -Name wazuh
Refer to https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.html#windows

If you have any questions, do not hesitate to ask me.

Satwika sree

unread,
Nov 11, 2024, 2:05:13 AM11/11/24
to Wazuh | Mailing List
 Thanks for the response. Will generating new rootCA.key and rootCA.pem files affect already enrolled agents or cause any other issues? Please respond as soon as possible. 
Please respond as soon as possible 

Satwika sree

unread,
Nov 11, 2024, 11:57:33 PM11/11/24
to Wazuh | Mailing List

Hello Team,


The "SSL read (unable to receive message)" error in the Wazuh agent logs typically indicates an issue with SSL/TLS communication between the agent and the Wazuh manager. Interestingly, this issue appears only on some systems, while others enroll without any errors on the same Wazuh server. Both the systems experiencing errors and those without errors are running the same version.

Additionally, we observe that the service provider’s IP address is repeatedly attempting to connect, resulting in a connection timeout error in the Wazuh manager logs (Find the attached referral error logs).

What could be causing these errors, and how can we resolve them?

Nov 12, 2024 @ 10:23:33.000 wazuh-authd INFO New connection from 168.167.84.26 Nov 12, 2024 @ 10:23:33.000 wazuh-authd ERROR SSL Error (0) Nov 12, 2024 @ 10:23:32.000 wazuh-authd INFO Client timeout from 168.167.84.26 Nov 12, 2024 @ 10:23:31.000 wazuh-authd INFO New connection from 168.167.84.26


Give me your response as soon as possible
Reply all
Reply to author
Forward
0 new messages