ERROR: (1208): Unable to connect to enrollment service

[depstr]

Hello, I have issues with setting agents. I have installed the Wazuh dashboard with all the key components via the install script from the Quickstart page. It is installed on a fresh and clean Hetzner vps that meets the minimum requirements. However, Agents have problems enrolling/registering with an error: ERROR: (1208): Unable to connect to enrollment service at '[<ipv6 of the Hetzer vps>]:1515' this usually means some kind of networking issue like badly open port. But the port is opened correctly. I have tried running a sample website that listens on ports 1515, and 1515 and it worked perfectly. This means the ports are open correctly and there is no reason for them to not connect. The VPS has IPv6 only. I have tried connecting agents from different devices and networks.

[Santiago David Vendramini]

Hi! I hope you are doing well! Did you only install wazuh dashboard? You also need wazuh server and wazuh indexer on the server side. did you follow this documentation: https://documentation.wazuh.com/current/installation-guide/index.html#installing-the-wazuh-central-components ?

[depstr]

Hello. I have installed everything via the all-in-one (https://documentation.wazuh.com/current/quickstart.html) 
Via lsof -i:1515 i can see that wazuh is listening.

Dne pondělí 26. února 2024 v 15:12:37 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

Hi!

It would be useful to share agent and manager logs with debug level 2. To do this you need to set the following values:

- manager: /var/ossec/etc/local_internal_options.conf
authd.debug=2

- agent: /var/ossec/etc/internal_options.conf
agent.debug=2

Then you restart both sides and you can see the logs in debug mode.

Also I would like to know which enrollment method you are trying to use?

[depstr]

Hello, i am using the default enrollment method which is i belive "Enrollment via agent configuration".

The "xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0001" is the IPv6 of the mechine where Wazuh is deployed. 

Dne úterý 27. února 2024 v 14:08:19 UTC+1 uživatel Santiago David Vendramini napsal:

[depstr]

Here is the manager log i have forgot to attach the file.

Dne úterý 27. února 2024 v 18:58:08 UTC+1 uživatel depstr napsal:

[Santiago David Vendramini]

Hi! There doesn't seem to be any error, however the log captures are not at the same time. Or do they have different time zones? It would be useful to see what is happening on both sides at the same time to identify any strange behavior or misconfiguration. From the agent side did you do any connection test to see if there is any network problem that not allow to reach the manager?

[depstr]

Hello. Yep, i have noticed that the timezone is off by one hour. So the logs are indeed from the same time but one is behind by an one hour. As i have already mentioned i have tested the ports if they are open correctly by putting a simple webserver on port 1514,1515 and the connections were succesfull. 

Dne středa 28. února 2024 v 17:19:36 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

Can you share your <auth> and <remote> config from the manager and the <client> config from the agent? 

[depstr]

Here are the configs. 

Dne čtvrtek 29. února 2024 v 12:17:42 UTC+1 uživatel Santiago David Vendramini napsal:

[Santiago David Vendramini]

HI! You must set these configuration settings on the manager side!

- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#ipv6

- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#ipv6

Also, if you are using a link local ipv6 address, you must configure on the agent this setting:

- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#interface-index

I hope this solves your need! Let me know if you need anything else!

Best Regards!