[windows agent] wazuh agent tries to use non-existent ipv6 gateway on ipv4 network

313 views
Skip to first unread message

Bill A

unread,
Mar 11, 2024, 5:57:15 AM3/11/24
to Wazuh | Mailing List

Ok, so I just need to know how to change this behavior in the wazuh agent on windows, where the agent somehow thinks it needs to talk on link local ipv6.  Network is internal ipv4, no ipv6 is configured.  Host is online and all other services are working.  This is affecting deployment of windows based agents.  This is on the agent host, not on the wazuh server. 

 

Logs below.

 

2024/03/08 13:13:23 wazuh-agent: WARNING: No network interface index provided to use FE80:0000:0000:0000:8FC9:1F1A:4CCC:2E83 link-local IPv6 address.

2024/03/08 13:13:23 wazuh-agent: ERROR: (4114): All server addresses are IPv6 link-local and no interface to any <server> block has been configured.

2024/03/08 13:13:23 wazuh-agent: ERROR: (1215): No client configured. Exiting.

2024/03/08 13:13:23 wazuh-agent: INFO: Received exit signal. Starting exit process.

2024/03/08 13:13:23 wazuh-agent: INFO: Set pending exit signal.

2024/03/08 13:45:31 wazuh-agent: WARNING: No network interface index provided to use FE80:0000:0000:0000:8FC9:1F1A:4CCC:2E83 link-local IPv6 address.

2024/03/08 13:45:31 wazuh-agent: ERROR: (4114): All server addresses are IPv6 link-local and no interface to any <server> block has been configured.

2024/03/08 13:45:31 wazuh-agent: ERROR: (1215): No client configured. Exiting.

2024/03/08 13:45:31 wazuh-agent: INFO: Received exit signal. Starting exit process.

2024/03/08 13:45:31 wazuh-agent: INFO: Set pending exit signal.

2024/03/08 13:45:31 wazuh-agent: INFO: Exit completed successfully.

2024/03/08 13:47:37 wazuh-agent: WARNING: No network interface index provided to use FE80:0000:0000:0000:8FC9:1F1A:4CCC:2E83 link-local IPv6 address.

2024/03/08 13:47:37 wazuh-agent: ERROR: (4114): All server addresses are IPv6 link-local and no interface to any <server> block has been configured.

2024/03/08 13:47:37 wazuh-agent: ERROR: (1215): No client configured. Exiting.

2024/03/08 13:47:37 wazuh-agent: INFO: Received exit signal. Starting exit process.

2024/03/08 13:47:37 wazuh-agent: INFO: Set pending exit signal.

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 11, 2024, 7:06:43 AM3/11/24
to Wazuh | Mailing List

Hi Bill,

Thanks for reporting this. I'm checking what could be going wrong, but  I will need extra information from your side. 

- Wazuh Agent version and Windows version
- Wazuh Agent client's configuration block (particularly the server ip)
- Windows environment IP configuration

Please replace any sensitive data such as IP addresses or hostnames, but keep their nature.

Regards,
Nico

Bill A

unread,
Mar 11, 2024, 11:05:13 AM3/11/24
to Wazuh | Mailing List
Let's say that the wazuh server ip is 10.10.10.24 and the windows host is 10.10.10.23.  Both are virtual guests on the same hypervisor, on the same vlan.

- Wazuh Agent version and Windows version
Agent 4.7.3, Windows Server 2019

- Wazuh Agent client's configuration block (particularly the server ip)
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.7.3-1.msi -OutFile ${env.tmp}\wazuh-agent; msiexec.exe /i ${env.tmp}\wazuh-agent /q WAZUH_MANAGER='10.10.10.24' WAZUH_AGENT_NAME='somehost' WAZUH_REGISTRATION_SERVER='10.10.10.24'

- Windows environment IP configuration
ipconfig /all

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : myhost

   Primary Dns Suffix  . . . . . . . : my.domain.com

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : my.domain.com

 

Ethernet adapter Ethernet0 2:

 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection

   Physical Address. . . . . . . . . : 00-50-56-BE-65-31

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::8fc9:1f1a:4ccc:2e83%4(Preferred)

   IPv4 Address. . . . . . . . . . . : 10.10.10.23(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 1010.10.1

   DHCPv6 IAID . . . . . . . . . . . : 369119318

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-55-08-19-00-50-56-BE-53-FF

   DNS Servers . . . . . . . . . . . : 10.10.10.10

                                       10.10.10.11

   NetBIOS over Tcpip. . . . . . . . : Enabled

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 11, 2024, 3:39:19 PM3/11/24
to Wazuh | Mailing List
Bill,

Thanks for the information. One more thing, the error seems to be related to a wrong value on <server><address> in ossec.conf, which based on the code contains ':' character to behave like that. Could you please check this?

Nico

Bill A

unread,
Mar 11, 2024, 4:13:00 PM3/11/24
to Wazuh | Mailing List
II'm assuming you are referring to the ossec.conf on the windows host:

On the host running the agent:  The field <server> <address> contains the FQDN of the agent host, not an IP address
Also, in the same config, <enrollment><manager_address> contains the FQDN of the agent host, not an IP address
No colons were found in either field.

What entry should be in the agent host's ossec.conf config?  FQDN of agent host was what the configurator chose.  If it needs to be changed to something else, please let me know.

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 14, 2024, 8:51:22 AM3/14/24
to Wazuh | Mailing List
Hi Bill,

From now on my questions are going to be focused on the Windows agent, which is where the errors are occurring.

The problem is related to the configuration of the Wazuh Agent related to Managers' registration and communication FQDN/IP,  but in your previous questions you mentioned contradictory things like the following, which still confuse me
- One-liner installation use Manager's IP
- Your ossec.conf use FQDN

On the other hand, and I quote:   "<server> <address> contains the FQDN of the agent host, not an IP address". Did you mean manager host right? Both <server> <address> and  <enrollment><manager_address> should contain Managers's IP/FQDN, and based on your error it contains a colon (:)

Looking forward to your comments,
Nico


Bill A

unread,
Mar 14, 2024, 9:50:33 AM3/14/24
to Wazuh | Mailing List
Ok, here is a redacted section of the ossec.conf that was created automagically by the deployment tool, from the deployment string I sent earlier.  I'm not seeing a colon in the agent string in the configurator tool string I sent, nor in the address section of the agent config config below.  Also, I did not update this config, *this config was created by the wazuh deployment tool, using the agent string I sent you which declared the wazuh server by ip (no colons), not manually by me.*  There are no colons in the address field for the agent ossec.conf.

If I understand you correctly, I need to change:
<client>
  <server>
      <address>host.my.domain.com</address>

over to:
<client>
  <server>
    <address>my.wazuh.server.address</address>

<!--

  Wazuh - Agent - Default configuration for Windows

  More info at: https://documentation.wazuh.com

  Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

 

<ossec_config>

 

  <client>

    <server>

      <address>host.my.domain.com</address>

      <port>1514</port>

      <protocol>tcp</protocol>

    </server>

    <config-profile>windows, windows2019, windows-server, windows-server-2019</config-profile>

    <crypto_method>aes</crypto_method>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

    <enrollment>

      <enabled>yes</enabled>

      <manager_address>host.my.domain.com</manager_address>

      <agent_name>host</agent_name>

    </enrollment>

  </client>

 

 

  <!-- Agent buffer options -->

  <client_buffer>

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

 

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

  </localfile>

 

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157]</query>

  </localfile>

 

  <localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

  </localfile>

 

  <localfile>

    <location>active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

 

  <!-- Policy monitoring -->

  <rootcheck>

    <disabled>no</disabled>

    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>

    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>

  </rootcheck>

 

  <!-- Security Configuration Assessment -->

  <sca>

    <enabled>yes</enabled>

    <scan_on_start>yes</scan_on_start>

    <interval>12h</interval>

    <skip_nfs>yes</skip_nfs>

  </sca>

 

  <!-- File integrity monitoring -->

  <syscheck>

 

    <disabled>no</disabled>

 

    <!-- Frequency that syscheck is executed default every 12 hours -->

    <frequency>43200</frequency>

 

    <!-- Default files to be monitored. -->

    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

 

    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>

    <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>

    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>

    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>

    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

 

    <!-- 32-bit programs. -->

    <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>

    <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>

    <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>

    <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>

    <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

 

    <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

 

    <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

 

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

 

    <!-- Windows registry entries to monitor. -->

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

 

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

 

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

 

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

 

    <!-- Windows registry entries to ignore. -->

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

    <registry_ignore type="sregex">\Enum$</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

 

    <!-- Frequency for ACL checking (seconds) -->

    <windows_audit_interval>60</windows_audit_interval>

 

    <!-- Nice value for Syscheck module -->

    <process_priority>10</process_priority>

 

    <!-- Maximum output throughput -->

    <max_eps>50</max_eps>

 

    <!-- Database synchronization settings -->

    <synchronization>

      <enabled>yes</enabled>

      <interval>5m</interval>

      <max_eps>10</max_eps>

    </synchronization>

  </syscheck>

 

  <!-- System inventory -->

  <wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <scan_on_start>yes</scan_on_start>

    <hardware>yes</hardware>

    <os>yes</os>

    <network>yes</network>

    <packages>yes</packages>

    <ports all="no">yes</ports>

    <processes>yes</processes>

 

    <!-- Database synchronization settings -->

    <synchronization>

      <max_eps>10</max_eps>

    </synchronization>

  </wodle>

 

  <!-- CIS policies evaluation -->

  <wodle name="cis-cat">

    <disabled>yes</disabled>

    <timeout>1800</timeout>

    <interval>1d</interval>

    <scan-on-start>yes</scan-on-start>

 

    <java_path>\\server\jre\bin\java.exe</java_path>

    <ciscat_path>C:\cis-cat</ciscat_path>

  </wodle>

 

  <!-- Osquery integration -->

  <wodle name="osquery">

    <disabled>yes</disabled>

    <run_daemon>yes</run_daemon>

    <bin_path>C:\Program Files\osquery\osqueryd</bin_path>

    <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>

    <config_path>C:\Program Files\osquery\osquery.conf</config_path>

    <add_labels>yes</add_labels>

  </wodle>

 

  <!-- Active response -->

  <active-response>

    <disabled>no</disabled>

    <ca_store>wpk_root.pem</ca_store>

    <ca_verification>yes</ca_verification>

  </active-response>

 

  <!-- Choose between plain or json format (or both) for internal logs -->

  <logging>

    <log_format>plain</log_format>

  </logging>

 

</ossec_config>

 

<!-- END of Default Configuration. -->

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 14, 2024, 10:26:47 AM3/14/24
to Wazuh | Mailing List
Bill,


Wazuh Dashboard "Deployment Agent" wizard asks Wazuh Manager server address (either IP or FQDN) and this is expressed in the command line as "WAZUH_MANAGER" and "WAZUH_REGISTRATION_SERVER".

The idea is to deal with Wazuh Agent information about Wazuh Server configuration during installation to make the Agent available ASAP with minimal user intervention. 

Screenshot from 2024-03-14 11-13-46.png
 Screenshot from 2024-03-14 11-13-57.png

It seems to me that you set Agent IP / Agent FQDN where Manager's IP / FQDN should be set (based on your last message)

Could you please confirm this?
Nico

Bill A

unread,
Mar 14, 2024, 10:44:57 AM3/14/24
to Wazuh | Mailing List
No, I put in the manager's IP address.  That is what I've been saying.

From a user's point of view, it would be less confusing if Server IP instruction didn't state "This is the address the agent uses to communicate with the server".  In my interpretation, the tool wants the IP of the agent host, not the wazuh server (this is less a technical issue than a Strunk&White issue).  However, I provided the wazuh server IP anyways.

What I would like to do is run a clean install of this again on my test host.  I could have entered something wrong during my testing.  What is the best way to uninstall this Windows agent so that there won't be any old files left on re-running the agent install?  I want to make sure I can repeat this cleanly, and determine if I made a mistake in the process.

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 14, 2024, 11:34:08 AM3/14/24
to Wazuh | Mailing List
Bill,

Understood. About the wizard message, I fully agree with you and it could be confusing . Please feel free to create an issue and message proposal on https://github.dev/wazuh/wazuh-dashboard-plugins repository.

For my part, I was debugging with the development team and we could not reproduce the messages that you shared with us previously.

I'm not only trying to solve your problem but also checking that there's no bug behind it, so my first step is to determine the environment and steps followed. Based on this, I support you to try again to reproduce the error again following the same installation process, and let me know if this happens again.

Nico

Bill A

unread,
Mar 15, 2024, 11:22:38 AM3/15/24
to Wazuh | Mailing List
Ok, thank you.

Ran the win32ui.exe tool to update the IP.  Re-ran the installation process via PowerShell.  Now everything works.

So, must be a configuration issue on my end, but I don't know how it happened.  At least I have a fix.  Thank you.
Reply all
Reply to author
Forward
0 new messages