needs wazuh-agent-3.2.1

[Odie]

Hi Everyone!

I recently installed agent on my new linux box but the default repositories downloads the latest version wazuh-agent-3.8.X. Its never connect to my  wazuh Manager. When I checked with my other server agent installed is wazuh-agent-3.2.1.

How and where I can Download this version?  Checking wazuh package list here https://documentation.wazuh.com/3.2/installation-guide/packages-list/index.html#packages

the nearest version is 3.2.4.X which I've tried but I got an error, can't start the agent.

Appreciate your help..

Thanks!

[Sergio Peral]

Hi Odie,

Indeed, Wazuh repository always gives you the latest version, and Wazuh-Manager is not compatible with agents that have a newer version than them.

You downloaded Wazuh-Agent-3.2.4 from the right site. Please, can you answer me the following questions?

1) Which OS are you using in the agent that can't start?

2) Which error are you getting? Can you send me some logs?

For now, please try this:

1) Look for agent process and kill it. This is an example for my case:

# ps aux | grep ossec-agent


ossec     2741  0.4  0.4 256092  4552 ?        Sl   14:17   0:01 /var/ossec/bin/ossec-agentd
root      3401  0.0  0.0  14224   924 pts/0    S+   14:21   0:00 grep --color=auto ossec-agent


# kill -9 2741

2) Restart wazuh-agent

#systemctl restart wazuh-agent

If you can provide more relevant information it will be apreciated.

Maybe you want to consider upgrading your server to the latest version and get the latest Wazuh capabilites: https://documentation.wazuh.com/current/installation-guide/upgrading/latest_wazuh3_minor.html?

Regards,

Sergio.

[Odie]

Hi Sergio,

1) Which OS are you using in the agent that can't start?

Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-514.26.2.el7.x86_64
Architecture: x86-64

installed agent - wazuh-agent-3.2.4-1.x86_64.rpm

2) Which error are you getting? Can you send me some logs?

systemctl restart wazuh-agent




Job for wazuh-agent.service failed because the control process exited with error code. See "systemctl status wazuh-agent.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl restart wazuh-agent
Job for wazuh-agent.service failed because the control process exited with error code. See "systemctl status wazuh-agent.service" and "journalctl -xe" for details.










-- Unit wazuh-agent.service has failed.
--
-- The result is failed.
Apr 05 10:41:36 localhost.localdomain systemd[1]: Unit wazuh-agent.service entered failed state.
Apr 05 10:41:36 localhost.localdomain systemd[1]: wazuh-agent.service failed.
Apr 05 10:41:36 localhost.localdomain polkitd[1025]: Unregistered Authentication Agent for unix-process:20998:5749327 (system
Apr 05 10:41:47 localhost.localdomain polkitd[1025]: Registered Authentication Agent for unix-process:21052:5752880 (system b
Apr 05 10:41:47 localhost.localdomain systemd[1]: Starting Wazuh agent...
-- Subject: Unit wazuh-agent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit wazuh-agent.service has begun starting up.
Apr 05 10:41:47 localhost.localdomain env[21058]: Starting Wazuh v3.2.4 (maintained by Wazuh Inc.)...
Apr 05 10:41:47 localhost.localdomain env[21058]: Started wazuh-modulesd...
Apr 05 10:41:47 localhost.localdomain env[21058]: ossec-execd already running...
Apr 05 10:41:47 localhost.localdomain env[21058]: 2019/04/05 10:41:47 ossec-agentd: INFO: Using notify time: 60 and max time
Apr 05 10:41:47 localhost.localdomain env[21058]: Started ossec-agentd...
Apr 05 10:41:50 localhost.localdomain env[21058]: 2019/04/05 10:41:50 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue
Apr 05 10:41:50 localhost.localdomain env[21058]: 2019/04/05 10:41:50 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec
Apr 05 10:41:58 localhost.localdomain env[21058]: 2019/04/05 10:41:58 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue
Apr 05 10:41:58 localhost.localdomain env[21058]: 2019/04/05 10:41:58 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec
Apr 05 10:42:11 localhost.localdomain env[21058]: 2019/04/05 10:42:11 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue
Apr 05 10:42:11 localhost.localdomain env[21058]: 2019/04/05 10:42:11 rootcheck: CRITICAL: (1211): Unable to access queue: '/
Apr 05 10:42:11 localhost.localdomain env[21058]: ossec-syscheckd did not start
Apr 05 10:42:11 localhost.localdomain systemd[1]: wazuh-agent.service: control process exited, code=exited status=1
Apr 05 10:42:11 localhost.localdomain systemd[1]: Failed to start Wazuh agent.















[Odie]

Hi Sergio,

I tried to reinstall the agent but still got  same error "connection refused", will plan to upgrade soon but not for now, I need to add this linux box.

Thanks!

1) Look for agent process and kill it. This is an example for my case:

no agent process

#  ps aux | grep ossec-agent

root      26511  0.0  0.0 112644   964 pts/0    S+   17:09   0:00 grep --color=auto ossec-agent

Apr 05 17:12:20 localhost.localdomain env[26557]: 2019/04/05 17:12:20 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
Apr 05 17:12:28 localhost.localdomain env[26557]: 2019/04/05 17:12:28 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
Apr 05 17:12:28 localhost.localdomain env[26557]: 2019/04/05 17:12:28 rootcheck: ERROR: (1210): Queue '/var/ossec/queue/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
Apr 05 17:12:41 localhost.localdomain env[26557]: 2019/04/05 17:12:41 ossec-syscheckd: ERROR: (1210): Queue '/var/ossec/queue
Apr 05 17:12:41 localhost.localdomain env[26557]: 2019/04/05 17:12:41 rootcheck: CRITICAL: (1211): Unable to access queue: '/queue/ossec/queue' not accessible: 'Connection refused'.
Apr 05 17:12:41 localhost.localdomain env[26557]: ossec-syscheckd did not start
Apr 05 17:12:41 localhost.localdomain systemd[1]: wazuh-agent.service: control process exited, code=exited status=1
Apr 05 17:12:41 localhost.localdomain systemd[1]: Failed to start Wazuh agent.

On Thursday, April 4, 2019 at 10:25:18 PM UTC+8, Sergio Peral wrote:

[Sergio Peral]

Hi Odie,

I think that I know what's happening to you, thanks to your logs. 

You are getting a 'Connection refused' error in a directory that should only be present in a Wazuh-manager ( '/var/ossec/queue/ossec/queue' ), but you're trying to start the Wazuh-agent service. 

Have you installed both Wazuh-agent and Wazuh-manager in the same computer? Wazuh-manager and Wazuh-agent running in the same computer conflict, that must be the cause of your problem. However, you don't have to worry about your manager keeping unprotected, as managers automatically report events like any other agent would. 

If this is your case, try uninstalling Wazuh-manager in that machine and restart the agent service. You can use #yum remove wazuh-manager.

If the previous method didn't work for you, please answer me the following questions, and I'll reproduce your environment in order to look for a suitable fix:

1) What's your manager version?

2) Did you choose UDP or TCP protocol in ossec.conf ?

3) Can you send me the output of #ll /var/ossec/queue/ossec/queue ?

Best regards,

Sergio.

[Odie]

Hi Sergio,

I didn't install wazuh-manager on the same box, only wazuh-agent. This is the scenario:

1. I've installed wazuh-agent from repository and I'm not aware that it will install the latest wazuh-agent version 3.8 although it was successfully installed without any error, I've noticed that it will never connect to my wazuh-manager. So checking my other linux box installation, it has wazuh-agent 3.2.1.

2. Uninstalled wazuh-agent 3.8 and installed wazuh-agent 3.2.4 and then service didn't start and that is the error I've got.

3. unistall wazuh-agent again and clean-up the directory and re-install wazuh-agent but still the same error.

This is weird, It supposed to be working after I uninstalled wazuh-agent 3.8. I need this to be installed for our upcoming audit.

Installed wazuh-agent 3.2.4 on my test server and installed successfully and connected to wazuh-manager

1) What's your manager version?

# cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
NAME="Wazuh"
VERSION="v3.2.1"
REVISION="3220"
DATE="Sat Mar  3 01:02:44 UTC 2018"
TYPE="server"

2) Did you choose UDP or TCP protocol in ossec.conf ?

  used the default "UDP" settings

3) Can you send me the output of #ll /var/ossec/queue/ossec/queue ?

# ll /var/ossec/queue/ossec/queue
srw-rw---- 1 ossec ossec 0 Apr  8 08:39 /var/ossec/queue/ossec/queue

Thanks!

[Sergio Peral]

Hi Odie,

I'm sorry for the late response.

The reason your agent cannot connect to your manager is because of their version. Wazuh-Manager 3.2.1 is too old for a 3.2.4 agent. The manager version has to be newer or the same as the agent's, in any case.

There's something that sounds strange to me:

Installed wazuh-agent 3.2.4 on my test server and installed successfully and connected to wazuh-manager

, are you sure that the manager in your test server is 3.2.1?  Did you manage to register the agent there?

Based on our compatibility matrix, it doesn't seem to be possible. You can check this matrix in the following documentation link: https://documentation.wazuh.com/3.x/installation-guide/compatibility_matrix/index.html.

Best regards,

Sergio.