Registering Wazuh agents - Troubleshooting
The Wazuh agent registers successfully but disappears after another Wazuh agent is being registered
By default, the Wazuh manager attaches the Wazuh agent to the visible IP of the Wazuh agent. If the Wazuh manager or the Wazuh agents are, for example, behind a NAT, the Wazuh agent should be registered with IP address any
, which works as 0.0.0.0/0
.
To set up this behavior for a single registration:
Add the Wazuh agent's IP address as
any
to the registration command.For example, the simple registration service command could look as follows:
# /var/ossec/bin/agent-auth -m <manager_IP> -I any
If the
-I
option is set toany
and the Wazuh agents' hosts have the same hostname, the Wazuh agent name has to be specified manually. Otherwise, the newly registered agent will overwite the previous one.In that case, the simple registration service command could look as follows:
# /var/ossec/bin/agent-auth -m <manager_IP> -I any -A <agent_name>
To set up this behavior for all subsequent registrations:
In the Wazuh manager's configuration
/var/ossec/etc/ossec.conf
file, set the use_source_ip tono
:<ossec_config> ... <auth> ... <use_source_ip>no</use_source_ip> ... </auth> ... </ossec_config>
Restart the wazuh manager:
# systemctl restart wazuh-manager
# service wazuh-manager restart
After that, the simple registration service command does not need the
-I
option and the Wazuh agent's IP address will be automatically set toany
:# /var/ossec/bin/agent-auth -m <manager_IP>
Providing the Wazuh agent's IP address in the registration command overwrites
use_source_ip
option.