WARNING: (1213): Message from 'x.x.x.x' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
2,292 views
Skip to first unread message
lid...@gmail.com
Jan 20, 2021, 9:03:27 PM1/20/21
to Wazuh mailing list
In my ossec.log I found many log like below,
WARNING: (1213): Message from '10.1.xx.xx' not allowed. Cannot find the ID of the agent. Source agent ID is unknown.
what's wrong with this agent ,how to fix it?
jeremias...@wazuh.com
Jan 20, 2021, 10:23:15 PM1/20/21
to Wazuh mailing list
Hi lida.xp.
Thank you for using Wazuh!
This log message appears because Wazuh Manager, Remoted daemon, receives a package coming from an IP address that is not allowed. As this IP isn't recognized, the ID of the agent can't be obtained to decrypt the message, this is what the message refers to.
Usually, this happens when an agent is registered with a defined IP and for some reason, it changes it (this has happened a lot during the new home office modality on some companies)
As you may know, agents can be registered with "any" IP or with a specific IP. If the IP address is specified, Wazuh Manager expects that this agent always connects with the same IP.
To know if this is the case, and which agent is having this problem: Did you notice an agent being disconnected when you expect to be connected?
To check this, we can run the following command and check if any of these disconnected agents isn't expected to be in this state.
If this is the case, probably you have an agent that should be re-registered. You can use the new IP or the "any" IP if this agent will continue changing its IP address.
Please let me know if this helps and if this root cause was correct.
If this isn't the problem or if you have further doubts, please don't hesitate to write
Best regards!
Thank you for using Wazuh!
This log message appears because Wazuh Manager, Remoted daemon, receives a package coming from an IP address that is not allowed. As this IP isn't recognized, the ID of the agent can't be obtained to decrypt the message, this is what the message refers to.
Usually, this happens when an agent is registered with a defined IP and for some reason, it changes it (this has happened a lot during the new home office modality on some companies)
As you may know, agents can be registered with "any" IP or with a specific IP. If the IP address is specified, Wazuh Manager expects that this agent always connects with the same IP.
To know if this is the case, and which agent is having this problem: Did you notice an agent being disconnected when you expect to be connected?
To check this, we can run the following command and check if any of these disconnected agents isn't expected to be in this state.
- /var/ossec/bin/agent_control -l | grep Disconnected
Please let me know if this helps and if this root cause was correct.
If this isn't the problem or if you have further doubts, please don't hesitate to write
Best regards!
lid...@gmail.com
Jan 21, 2021, 9:14:59 PM1/21/21
to Wazuh mailing list
Yes, we are moving the DC to another DC, so many server IP will change , I will try to
re-regist these server agent.
also I found some error info in ossec.log
2021/01/22 00:00:35 wazuh-db: ERROR: Unable to update 'sys_processes' table for agent '1744'
2021/01/22 00:00:35 wazuh-db: ERROR: at wdb_process_insert(): sqlite3_step(): database or disk is full
2021/01/22 00:00:35 wazuh-db: ERROR: Unable to update 'sys_processes' table for agent '1777'
2021/01/22 00:00:35 wazuh-db: ERROR: at wdb_process_insert(): sqlite3_step(): database or disk is full
but my server disk is not full, what's the problem with the wazuh db?
jeremias...@wazuh.com
Jan 22, 2021, 9:00:11 AM1/22/21
to Wazuh mailing list
Hi lida.xp.
Then surely this was the reason for this error. If you need any help with the agents' registration please don't hesitate to ask.
Regarding this other problem, I noticed that you opened a new thread for this. We always suggest our users do this because it's easier for others to find similar problems and solutions.
We will be responding to you on this other thread.
Again, for any further doubt, don't hesitate to ask.
Best regards!
Then surely this was the reason for this error. If you need any help with the agents' registration please don't hesitate to ask.
Regarding this other problem, I noticed that you opened a new thread for this. We always suggest our users do this because it's easier for others to find similar problems and solutions.
We will be responding to you on this other thread.
Again, for any further doubt, don't hesitate to ask.
Best regards!
Reply all
Reply to author
Forward
0 new messages