Remote upgrade for Windows agents fails

[Carlos Lopez]

Hi all,

 I have done several tests this morning to try to upgrade all my Windows agents (all of them are Windows 10 Professional). 

 I have tried using API, but result is:

root@wazuh-master:~# curl -k -X GET "https://localhost:55000/agents/upgrade_result?agents_list=030,027&pretty=true" -H  "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "message": "Success",
            "agent": "027",
            "task_id": 10,
            "node": "wazuh-worker-01",
            "module": "upgrade_module",
            "command": "upgrade",
            "status": "Error",
            "error_msg": "Send upgrade command error",
            "create_time": "2021/04/23 07:38:36",
            "update_time": "2021/04/23 07:38:45"
         },
         {
            "message": "Success",
            "agent": "030",
            "task_id": 11,
            "node": "wazuh-worker-01",
            "module": "upgrade_module",
            "command": "upgrade",
            "status": "Error",
            "error_msg": "Send upgrade command error",
            "create_time": "2021/04/23 07:38:36",
            "update_time": "2021/04/23 07:38:44"
         }
      ],
      "total_affected_items": 2,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "All agents have been updated",
   "error": 0
}

 Some issues regarding this message:

 a/ Why api returns error 0 and Success when upgrade fails as you can see in the output? Or these messages are only related to launch remote upgrade? But “total_failed_items” returns 0.

 b/ Do I need to apply specific options?

 Also, I have tried to use agent_upgrade module, but never updates remote Windows agents …

 Is this a bug?

Best regards,

C. L. Martinez

[Tomas Turina]

Hi Carlos,

Regarding your first question, the error code 0 indicates that there was no error in the API request and results could be retrieved. Probably the message is confusing and not accurate, I'll let my team know about this.

About your second question, I think what you have done is okay. I've tried to upgrade one of my Windows agents to the latest Wazuh version (v4.1.5) and I had no problem. I've attached two images so you can see this.

The error code "Send upgrade command error" is telling you that the Windows agent has received the WPK but it could not launch the upgrade script. Some things that may have happened:

• There was a problem unsigning, uncompressing or unmerging WPK files. You can check if there is any error logged in the ossec.log file of the Windows agent. If this is the problem, try removing the content of the incoming directory of the Windows agent and start the upgrade again. If you are using a custom WPK package, review if you have generated it correctly and configured the certificates in the agent side.
• There was a problem deleting WPK files of previous upgrades. You can check if there is any error logged in the ossec.log file of the Windows agent. If this is the problem, try manually removing the content of the upgrade directory of the Windows agent and start the upgrade again.
• There was a problem giving executable permissions to the upgrade.bat script or executing it. You can check if there is any error logged in the ossec.log file of the Windows agent. If this is the problem, try manually running it from the incoming directory of the Windows agent and see if you get any error code. If you have created a custom WPK, please review if this script has no errors. If not, please let us know so we can check if there is any problem with it.
• Another possibility is that you have a cluster architecture with a load balancer and it is assigning the agent to a new worker node in the middle of the upgrade process. This is common if you are using UDP protocol, but it can also happen even if you use TCP. If this is happening, the message that the manager sends to the agent indicating that it has to run the upgrade.bat script may be reaching the old worker node, which responds with an error code and cancels the upgrade. In this case, I recommend setting agents to report to a static worker during the upgrade process so it can continue without errors and after finishing with them, set them to report again to the load balancer.

I hope you can find the problem with the information I shared to you. If not, please let me know.

Best regards.

Tomás Turina.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/69273112-4F66-45EC-82F3-6AEC5041331E%40outlook.com.

[Carlos Lopez]

Hi all,

 Sorry for this later answer. Theres is only this error in wazuh worker:

2021/05/12 07:47:30 wazuh-modulesd:agent-upgrade: ERROR: (8116): Error response from agent: 'Could not verify signature’

(I am trying to update agents from release 4.1.4 to 4.1.5 in Windows). These are the errors in agent side:

2021/05/12 09:18:50 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds.
2021/05/12 09:18:59 ossec-agent: ERROR: Could not get message for (Application)
2021/05/12 09:19:10 ossec-agent: INFO: (6009): File integrity monitoring scan ended.
2021/05/12 09:47:28 ossec-agent: ERROR: (1117): Could not retrieve information of file '/var/ossec/etc/wpk_root.pem' due to [(2)-(No such file or directory)].
2021/05/12 09:47:28 ossec-agent: ERROR: Error verifying WPK certificate.
2021/05/12 09:47:28 wazuh-modulesd:agent-upgrade: ERROR: (8139): At unsign(): Could not unsign package file 'incoming\wazuh_agent_v4.1.5_windows.wpk'
2021/05/12 09:47:28 wazuh-modulesd:agent-upgrade: ERROR: (8131): At upgrade: 'Could not verify signature’

Why "2021/05/12 09:47:28 ossec-agent: ERROR: (1117): Could not retrieve information of file '/var/ossec/etc/wpk_root.pem' due to [(2)-(No such file or directory)].”?? It is a Windows platform ...

 Regarding your other question about loadblancer: there is a load balancer in the middle, but I am only using one worker and manager is not exposed.

 On the other side, I have configured agent-upgrade module using central config with the following content:

<agent-upgrade>
<enabled>yes</enabled>
<notification_wait_start>60s</notification_wait_start>
<notification_wait_factor>4</notification_wait_factor>
<notification_wait_max>2h</notification_wait_max>
<ca_verification>
<enabled>yes</enabled>
<ca_store>C:\Program Files (x86)\ossec-agent\wpk_root.pem</ca_store>
</ca_verification>
</agent-upgrade>

 But it doesn't seem to work, because I have never had any entries in the logs …..

Best regards,

C. L. Martinez

<Capture1.PNG><Capture2.PNG>