Not able to remove an agent.

[Arjun Joshi]

I deployed my local machine into my wazuh server, and then after my work was done, I tried to remove the agent, I uninstalled the wazuh services. Yet the server still shows my machine on it, and it has gone into the default group. What do I do?

P.s, I'm still new to this, so do help me in laymens term if possible. 

[Henadence Anyam]

Hello Arjun Joshi,

After uninstalling the agent on the endpoint, you have to explicitly remove it on the Wazuh server.

Follow the Removing agents documentation to achieve this.

To remove agents using the CLI, perform the following steps on the Wazuh server:

1.) Use the following command to list the agents on available on the server: /var/ossec/bin/manage_agents -l 

2.) Then, use this command to delete an agent by specifying the agent's ID: /var/ossec/bin/manage_agents -r <AGENT_ID>

Replace <AGENT_ID> with the ID of the agent you want to remove. Not that this does not show any confirmation message so be careful you are specifying the correct agent ID.

I hope you find this information helpful.

[Arjun Joshi]

Is it possible to remove it from WUI? I have access to the wazuh services on my windows, not linux. And I did check the documenation, "https://documentation.wazuh.com/current/user-manual/agents/remove-agents/restful-api-remove.html".

And I went to Wazuh>Tools>API Console, I don't know how to add the osquery here. For example, in the documentation, it says to add TOKEN=$(curl -u <user>:<password> -k -X GET "https://localhost:55000/security/user/authenticate?raw=true"), but when I do add it in query, there is an error. 

[Arjun Joshi]

Also, I updated the user and password in the command above. Still, there is an error.

[Henadence Anyam]

Yes, you can use the Wazuh API to delete agents.

From the Wazuh dashboard you don't need to specify credentials as you are already authenticated.

For example, you can use the below query to delete the disconnected agent with ID 003: 

DELETE /agents?status=disconnected&agents_list=003

Hope that helps.

[Arjun Joshi]

Also, We are not able to receive any alerts of malware or virus detection. We get alerts for agent queue flooding, or if an application is installed which is not according to wazuh compliance, how do I enable notifications for malware/ virus detection?

[Henadence Anyam]

Hello Arjun Joshi,

Were you able to remove the agent successfully following the guide?

I noticed you created an issue regarding your second question. A collegue is currently working on it to help you out.

Regards.

[Arjun Joshi]

Not really, I got diverted with the malware detection. 
The reason I was asking to remove an agent, is because I was trying to change the group, directly from its ossec.conf file, by changing the name in <groups>x<groups> , from x to y. Then restart the wazuh agent service. 

After I did it, I'm trying to remove the agent, but your command did not work. 

[Arjun Joshi]

Also, looking into it, I cannot change the group name from ossec.conf file anymore, I reinstalled wazuh agent on my machine, and it's not updating in the group anymore. 

[Henadence Anyam]

Hello Arjun Joshi,

Kindly follow the Grouping agents documentation to assign agents to groups.

Moreover, you can assign agents to groups using the Wazuh dashboard as shown in the attached images.

Follow the steps below to achieve this:

1.) Visit the Wazuh dashboard and navigate to Management > Groups, you will see all the available groups as shown in image 1 below.

2.) Select the agent group you wish to add the agent to as shown in image one below.

3.) Click on Manage agents as shown in the second image below.

4.) Select the agent you want to add and click on Add selected items to add the agent to the group.

Follow the same process to remove an agent from a group.

Hope you find this information helpful.

[Arjun Joshi]

Thank you. Can you please solve my other doubt? The conversation I'm having with  Othniel Ebolum.

[Arjun Joshi]

"  Please excuse my novice doubts, I'm still new to this. 

Going to Navigation bar > Alerting, there are custom triggers created by the previous wazuh administrator, I want to create something like "Login failed" to send me an alert to my email every time an agent fails the authentication, regardless of the number of agents in the wazuh server. "