Wazuh agents keep losing group assignment
105 views
Skip to first unread message
Kevin Neubauer
Mar 15, 2021, 10:31:52 AM3/15/21
to Wazuh mailing list
I have deployed my Windows Wazuh agents into 2 different groups (Windows and Windows-Stage). These 2 groups are separate from the "default" group and have different agent policy. I have tried passing in the group assignment during install as a property to the MSI command line. I have also tried manually assigning the agents to their group from the Kibana web interface. However, no matter what I do the agents periodically lose their group membership and go back into the "default" group.
The agent version is v4.1.2.
Where should I start looking to find out what is causing this behavior? Is there code or configuration on the server that would reset group membership based on some schedule or condition? Or is this behavior coded into the agent triggered by some condition?
carlos...@wazuh.com
Mar 16, 2021, 5:42:36 AM3/16/21
to Wazuh mailing list
Hello,
Let me try to help you with this issue, as that's not the expected behavior for an agent's group. Membership is not reset by any scheduled condition by default.
Let me try to help you with this issue, as that's not the expected behavior for an agent's group. Membership is not reset by any scheduled condition by default.
A possible explanation for this could be that your agents are getting disconnected and once they reconnect they trigger the auto-enrollment process again resulting in a new registration with both new client.key value and groups assigned. Please, check if you are having any connectivity issues.
Additionally, try to specify the group within the ossec.conf for these agents using the groups tag in clients > enrollment. This should avoid losing the group even when re-registering the agent again. You can find more information about the group parameter here. . Finally, an example configuration using this parameter can be found here.
Let me know if you have any questions regarding this.
Kevin Neubauer
Mar 17, 2021, 1:10:10 PM3/17/21
to Wazuh mailing list
Thank you Carlos.
We have had some internal firewall issues lately that could be the cause of this.
Would it be effective to specify the <client> <enrollment> nodes and data in shared configuration for each group? Or would it only be effective to specify it in the local ossec.conf file on each agent?
Kevin
carlos...@wazuh.com
Mar 18, 2021, 4:25:04 AM3/18/21
to Wazuh mailing list
The <client> section is intented to be used in the local ossec.conf only, so you must specify it there instead of using the centralized configuration (agent.conf).
Regards.
Reply all
Reply to author
Forward
0 new messages