Registering Wazuh agents - Troubleshooting

The Wazuh agent registers successfully but disappears after another Wazuh agent is being registered

By default, the Wazuh manager attaches the Wazuh agent to the visible IP of the Wazuh agent. If the Wazuh manager or the Wazuh agents are, for example, behind a NAT, the Wazuh agent should be registered with IP address any, which works as 0.0.0.0/0.

  1. To set up this behavior for a single registration:

    Add the Wazuh agent’s IP address as any to the registration command.

    For example, the simple registration service command could look as follows:

    # /var/ossec/bin/agent-auth -m <manager_IP> -I any
    

    If the -I option is set to any and the Wazuh agents’ hosts have the same hostname, the Wazuh agent name has to be specified manually. Otherwise, the newly registered agent will overwite the previous one.

    In that case, the simple registration service command could look as follows:

    # /var/ossec/bin/agent-auth -m <manager_IP> -I any -A <agent_name>
    
  2. To set up this behavior for all subsequent registrations:

    In the Wazuh manager’s configuration /var/ossec/etc/ossec.conf file, set the use_source_ip to no:

    <ossec_config>
      ...
      <auth>
        ...
        <use_source_ip>no</use_source_ip>
        ...
      </auth>
      ...
    </ossec_config>
    

    Restart the wazuh manager:

    # systemctl restart wazuh-manager
    
    # service wazuh-manager restart
    

    After that, the simple registration service command does not need the -I option and the Wazuh agent’s IP address will be automatically set to any:

    # /var/ossec/bin/agent-auth -m <manager_IP>
    

    Providing the Wazuh agent’s IP address in the registration command overwrites use_source_ip option.