Wazuh Cluster Name

[Spectrum]

Good Morning, 

We recently had our Wazuh server die and had to rebuild it from scratch. We had a single node at the time and decided we would be careful this time by adding another node. 

Our original agents were on Node01 and the new agents are on wazuh_cluster1 and we cannot seem to force thenode01 agents to join the new wazuh_cluster1 manager. Can anyone point us in the right direction to do this? Thank you in advance!

[Selu López]

Hi Spectrum,

I'm not really sure if the problem is that your old agents only connect to Node01 or if the problem is that they are disconnected now. 

Assuming that you have set your original manager as the master of the new cluster, and that you have connected new nodes as workers to said cluster, the client.keys (file where the keys of the registered agents are saved) should still contain the keys of your former agents. In this case the agents should still be registered and they should be able to connect to any node in the cluster.

For the agents to be distributed among the different managers, it is recommended to use a load balancer or failover mode, as explained in this section of the documentation: Agents connections. 

Note that in case of using a load balancer, managers will only see the IP of this load-balancer when agents try to connect. If the use_source_ip option of the manager wasn't no when the agents were registered, the managers will not allow them to connect, showing a message like this in the ossec.log file:

2021/09/27 07:53:03 ossec-remoted: WARNING: (1213): Message from '172.25.0.5' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.

In this case, it would be best to re-register the agents after changing this option in the ossec.conf of the master node so it looks like this: <use_source_ip>no</use_source_ip>.

Let me know what exactly your problem is so I can better help you, in case this doesn't answer your question.

Regards,

Selu.

[Selu López]

Good Afternoon Selu, 

Our problem is that Node01 died and we created a new VM called wazuh_cluster1. None of the agents that were registered with the original Node01 are registering with the new wazuh_cluster1. I was able to get one device registered but I had to uninstall the agent and remove every single mention of wazuh from the registry before it would reinstall and register with the new VM. That was a lot of work for one machine and I still have 200 to go. Is there a more efficient way to do this? Thank you for your assistance on this!

Hello Spectrum,

It is quite strange, certainly not the expected behavior. We can rule out a network problem since the solution in that first case has been to reinstall. I think some data could be useful to debug the problem, for example:

- Wazuh version of the agents that were connected to Node01. 

- Managers version.

Also, I think it will be helpful if you try to manually register one of the problematic agents with your wazuh_cluster1. You can follow the instructions in Registering the Wazuh agent using simple registration service. Please paste the output obtained here, in case it might contain useful information. Also, after restarting the agent and once it tries to start the connection, I think its ossec.log could be a good clue. Please paste a trace of your agent's ossec.log here after restarting it, if possible. And maybe also a trace of the manager (wazuh_cluster1) ossec.log while the agent tries to connect, if you find something suspicious in there.

Feel free to let me know any other information that you consider relevant.

Best regards,

Selu.  

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/g_6khozij3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/47c77c81-27ea-4408-88d8-8ed118735f31n%40googlegroups.com.