Wazuh Authentication Error. Wrong key from 'any'

[Luke Lee]

Hi, I received these errors on the wazuh ossec log. 

May I know how to resolve this issue? As devices that has "any" settings does not have a fix IP address. 

Can we resolve it from the server side or need to configure something on the client side as well ?

[Luke Lee]

Further more, I notice the log files's ownership has differ. 

-rw-r----- 1 postfix lpadmin     25457 Feb 17 15:45 api.log

-rw-rw---- 1 ossecr  ossec   429561010 Feb 17 15:51 ossec.log

Are the above correct?

[Jesus Linares]

Hi Luke, 

It seems that your agent has a wrong key. Please, review if the key of your agent matches with the key in your manager. In order to do that:

• Check the agent key: cat /var/ossec/etc/client.keys
• Search that key in the manager: cat /var/ossec/etc/client.keys | grep <agent_id> 

What is Wazuh version are you running? Do you have a cluster of Wazuh manager?

On the other hand, the owners of api.log are wrong. I don't understand how your installation ends up with those owners. It should be:

-rw-r----- 1 ossec  ossec

I hope it helps.

Regards.

[Luke Lee]

Hi, 

May I know is there a way we can check which is the agent having issue? As those are individual laptops which the users are holding onto it. Thanks ! 

[Jesus Linares]

Hi Luke,

Sorry for the late reply. Did you solve your issue?

In order to find the wrong agent, you can review the ossec.log in the manager. Since some versions ago, we added more information in the following warning log to include the source IP:

2020/03/19 06:57:37 ossec-remoted: WARNING: (1408): Invalid ID <agent_id> for the source ip: 'X.X.X.X' (name 'unknown').

Regards.

[Luke Lee]

Hi, Now I think the error has gone. Not sure if it will appear again. 

[Jesus Linares]

OK. Let us know if you need more help with this issue.

[Luke Lee]

Hi, what if there is no specific IP, it was assign to laptops which are 'any'. 

Any solution to it? 

[Jesus Linares]

Hi,

Well, I'm not sure if the registration IP or the real source IP is logged in that log. Also, if it says the agent id, you can check the name for that ID using the UI, API, or the client.keys. This can be useful if you use the hostname as the agent name.

Regards.

[Luke Lee]

Hi Jesus Linares, 

Thanks for your reply. May I know are you refers to 'ossec.log' ? you mentioned that I can check the name of the ID, but where can I look for these details? Below are portion of the logs: 

2020/05/18 14:57:34 ossec-remoted[44223] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key from 'any'.

2020/05/18 14:57:35 ossec-remoted[44223] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key from 'any'.

2020/05/18 14:57:35 ossec-remoted[44223] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key from 'any'.

2020/05/18 14:57:36 ossec-remoted[44223] secure.c:339 at HandleSecureMessage(): WARNING: (1213): Message from '10.4.8.139' not allowed.

2020/05/18 14:57:38 ossec-remoted[44223] secure.c:324 at HandleSecureMessage(): WARNING: (1408): Invalid ID 144 for the source ip: '10.20.5.93' (name 'unknown').

Please advise how can I troubleshoot this issue. Meanwhile, does anyone faced this issue. I notice once any 2-3 months I will encounter this issue.

[Jesus Linares]

Hi Luke Lee,

Sorry for the late reply.

The remoted logs (in ossec.log) can be tricky. Let me clarify them:

Log 1

WARNING: (1404): Authentication error. Wrong key from 'any'.

The encryption key is wrong: 

• the agent's client.keys file does not match any entry of the manager's client.keys.
• The input —encrypted— payload is corrupt.
  

Most likely, you are facing the option one.

Since Wazuh 3.10, the log is improved and it shows the agent id:

WARNING: (1404): Authentication error. Wrong key from agent '001' at 'any'.

In that way, you could search the ID (001) in the client.keys of your manager.

Log 2

WARNING: (1213): Message from '10.4.8.139' not allowed.

This warning means that the agent is authenticating by incoming address IP instead of agent IP, and Remoted did not allow that IP.

An agent that was registered with an IP (instead of any or an IP range) won't send its ID. In this case, Remoted uses the client's source IP to allow or ban the agent.

Just go to that server (10.4.8.139) and review the client.keys.

Log 3

WARNING: (1408): Invalid ID 144 for the source ip: '10.20.5.93' (name 'unknown').

The agent with ID 144 is trying to authenticate with the manager but the manager doesn't find that ID.

You can review the client.keys searching for 144 (maybe it is removed: !144) and also, review the server (10.20.5.93)

In the end, you can do 2 things:

• Review the client.keys of the manager searching by the ID/IP that you have in the log.
• Go to the IP that it is in the log, and use the information of the agent's client.keys (if it exists). For example, searching that ID in the manager's client.keys

I recommend updating the latest version of Wazuh to have better logs (amount of others new features and fixes). Check out the logs: https://github.com/wazuh/wazuh/pull/3662.

I hope it helps.

[Luke Lee]

Hi, 

Thanks for your reply.  In today's log, I have gotten this in the log file, but when I check the list of agents, I notice there is no ID 146., what should I do ?: 

2020/05/21 14:57:55 ossec-remoted[20389] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key from 'any'.

2020/05/21 14:57:55 ossec-remoted[20389] secure.c:339 at HandleSecureMessage(): WARNING: (1213): Message from '10.4.8.139' not allowed.

2020/05/21 14:57:55 ossec-remoted[20389] secure.c:324 at HandleSecureMessage(): WARNING: (1408): Invalid ID 146 for the source ip: '10.4.8.218' (name 'unknown').

2020/05/21 14:57:56 ossec-remoted[20389] msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key from 'any'.

[Jesus Linares]

Hi,

First, check the id using the client.keys of the manager (it shows the removed agents):

cat /var/ossec/etc/client.keys | grep -P "^146 "

The syntax of the file is:

<id> <name> <registration_ip/cidr or any> <key>

If the name starts with "!" means that the agent was removed.

Please, let us know if you find the agent 146. If you registered another agent with the name of "agent 146", this one is removed and the new agent gets a new key (and id). For that reason, the "agent 146" has an inexistent key. This depends on your authd settings. Just re-register that agent.

Regards.

[Luke Lee]

Hi but recently i upgraded, then it's showing lots of agent having this issue. 

Error:  msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '083' at '10.0.106.88'

Any idea why?

[Jesus Linares]

Hi,

1. Go to the server 10.0.106.88. Check the key: cat /var/ossec/etc/ossec.conf

2. Go to the manager, check the key for the agent ID 083: cat /var/ossec/etc/ossec.conf | grep 083

Are they the same? The 1404 error means that the agent's client.keys file does not match any entry of the manager's client.keys.

In case you are registering the agents with an IP address instead of "any", make sure the IP didn't change.

I hope it helps.

[Luke Lee]

Hi,

For Wazuh 3.12 we need to specify the keys and agents in Ossec.conf ?

When I run the command above, shows nothing.

[Jesus Linares]

Hi Luke,

Sorry for the late reply. 

First, I made a typo in the commands, it is client.keys instead of ossec.conf:

1. Go to the server 10.0.106.88. Check the key: cat /var/ossec/etc/client.keys
2. Go to the manager, check the key for the agent ID 083: cat /var/ossec/etc/client.keys | grep 083

Let me clarify what is the root cause of that error:

Error:  msgs.c:311 at ReadSecMSG(): WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '083' at '10.0.106.88'

There are 2 options: Wrong key or corrupt payload. I'm going to focus on the first one: Wrong key.

The error message says that agent '083' at '10.0.106.88' sent a wrong key. This is what happened:

1. An agent was installed in server '10.0.106.88' and the Wazuh manager provided a key with the ID: 083.
2. I assume that the agent was working properly for a while.
3. Then, for some reason, the key 083 is not valid.
4. So, the server '10.0.106.88' is sending the key (083) and the manager is refusing the key due to is not valid.

What is the reason?

Probably the key doesn't exist in the client.keys of the manager (check it with cat /var/ossec/etc/client.keys | grep 083). This is due to it was removed manually or automatically.

When a new agent is registered, if there is another agent with the same name, it is removed. Example:

1. Server "A" is registered: 

Server "A" - IP: 10.0.106.88 -> Registered with key 086.

2. The client.keys are:

manager

...
086 ...

server 10.0.106.88

086 ...

3. A new server with the same name ("A") is registered

Server "A" - IP: 10.0.200.100 -> Registered with key 090.

4. The client.keys are:

manager

...
090 ...

server 10.0.106.88

086 ...

server 10.0.200.100

090 ...

5. When the server 10.0.106.88 sends the key 086, the manager will refuse it because it doesn't exist.

This behavior is configured in the authd section of the ossec.conf. Could you share it (remove the sensitive information)?

Thanks.