Hi, it is a known issue in that version (1.1.1). It is related with the algorithm that assigns an agent ID. This issue is fixed in Wazuh 2.0.
Also, you can use the API to register agents remotely: 1.1.1 <https://documentation.wazuh.com/1.1/ossec_api.html> and 2.0 <https://documentation.wazuh.com/current/user-manual/api/index.html> API documentation. Regards. On Monday, May 22, 2017 at 6:56:10 PM UTC+2, Topper Bowers wrote: > > I deleted some of the lines starting with bang (!) but that didn't clear > up the problem. My client.keys is now smaller than 2048, but I still can't > add agents. I was able to duplicate this problem on a fresh install in > vagrant. Using the bin/manage_agents command I was able to add over 4k > clients (and clients.keys grew without problem). However, when I try to add > a new agent through authd... I get the same internal error problem. > > Results of commands: > > $ cat /var/ossec/etc/client.keys | wc -l > > 2032 > > $ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" -v | wc -l > > 209 > > $ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" | wc -l > > 1823 > > On Mon, May 22, 2017 at 6:28 PM, Jesus Linares <je...@wazuh.com > <javascript:>> wrote: > >> Hi, >> >> as you mentioned, it seems that inactive agents are counting for the >> limit (2048 agents). Run the following commands in order to know the size >> of the *client.keys *file: >> >> - Total lines: cat /var/ossec/etc/client.keys | wc -l >> - Active agents: cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" >> -v | wc -l >> - Inactive agents: cat /var/ossec/etc/client.keys | grep -P >> "^\d+\s*\!" | wc -l >> >> The solution could be clean the client.keys (lines with "!") after >> removing the agent. >> >> Regards. >> >> >> On Monday, May 22, 2017 at 11:05:38 AM UTC+2, Topper Bowers wrote: >>> >>> Hi, >>> >>> My client has a highly dynamic environment and we're using OSSEC (wazuh >>> 1.1.1 release, OSSEC v2.8). When a server spins up, it registers itself as >>> an agent to the servers authd and everything was going ok. However, my >>> client.keys file is now 2048 lines long and no new agents can register. >>> They get an "(internal error)" that we see in the /var/ossec/logs/ossec.log >>> >>> We have a process in place to remove inactive agents using the >>> `/var/ossec/bin/manage_agents -r ${ossec_id}` command. And if you use >>> /var/ossec/bin/manage_agents -l only about 100 agents show up. >>> >>> I've seen this >>> https://groups.google.com/forum/#!topic/ossec-list/lgFDOlR6zNg and it >>> looks remarkably similar to what we're seeing. However, we don't actually >>> have thousands of active agents. It seems like inactive agents are counting >>> against the limit. Since we have a really dynamic environment with servers >>> going up and down all the time, increasing the limit seems like it's just >>> pushing out the inevitable. >>> >>> In summary... dynamic environment, can't add new agents, only 100 or so >>> active agents, 2048 lines in client.keys. No other error messages besides >>> "internal error" >>> >>> Any suggestions? >>> >>> Thanks! >>> >>> Topper >>> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/k_MFr5aAjRU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > *Topper Bowers* > > *Engineering* > *Vitals* | 160 Chubb Ave, Suite 301, Lyndhurst, NJ 07071, USA > > M : 646.515.6630 > > http://www.vitals.com > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
