Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agents are trying to register to a worker instead of the master, and the worker's service is not exposing port 1515 #961

Open
zakkg3 opened this issue Jan 24, 2025 · 2 comments
Open

Agents are trying to register to a worker instead of the master, and the worker's service is not exposing port 1515 #961

zakkg3 opened this issue Jan 24, 2025 · 2 comments

Comments

@zakkg3
Copy link

zakkg3 commented Jan 24, 2025
edited
Loading

I think this issue is root problem of #308 #547 and potentially others in the wazuh main repo.

The problem is:

Deployments exposes the master service on port 1515 for registration and the workers on port 1514 for agent events:

workers svc (Lets say IP 1.1.1.1)

    - name: agents-events
      port: 1514
      targetPort: 1514

Master svc: (lets say IP 2.2.2.2)

    - name: registration
      port: 1515
      targetPort: 1515

So far so good.
problem is an agent with this configuration:

  <client>
    <server>
      <address>1.1.1.1</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
...
    <enrollment>
      <enabled>yes</enabled>
      <manager_address>2.2.2.2</manager_address>
...
    </enrollment>
  </client>

ends up trying to connect to 1.1.1.1:1515
So it tries the agent IP with the master port:

wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[1.1.1.1]:1515'

I've modified the worker svc also to expose 1515 and configure the agent to use just the worker ip. (no enrollment configuration). And they can register and report all good. But it leads to other problems...

Ive also found a comment there it modifies the master to also expose 1414 and use that IP for all agent communications. but I believe this is not the idea of master/worker .

The problem is this leads to other issues: source IPs are the Kubernetes nodes. I believe the worker is forwarding to the master and after k8s SNAT the outgoing IP is the node IP that messes things up.

I have all my agents registered and working but my log is being spammed with
Invalid ID 001 for the source ip: '5.5.5.5' (name 'unknown').
being 5.5.5.5 a Kubernetes node IP.
@zakkg3
Copy link
Author

zakkg3 commented Jan 24, 2025
edited
Loading

Even with this config https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#connecting-wazuh-agents-to-the-wazuh-cluster-failover-mode. So multiple client blocks with the respective port configured (1414 for the worker IP svc and 1515 for the master)...

    <server>
      <address>1.1.1.1</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <server>
      <address>2.2.2.2</address>
      <port>1515</port>
      <protocol>tcp</protocol>
    </server>

The client tries to enroll to the first client defined (1.1.1.1) on port 1515 even when this client block has only 1414 ports configured.

wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[1.1.1.1]:1515
INFO: Requesting a key from server: 2.2.2.2

or the agent have a bug or we have to expose 1414 and 1515 on the same IP.

maybe define yet another service that exposes 1414 and forward this to the worker and 1515 and forward this to the master?
Like the load balancing proposed here: https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster.html#configuration

I will update here if this solves the problem and submit a pr..

@zakkg3 zakkg3 mentioned this issue Jan 24, 2025
Closed
@zakkg3
Copy link
Author

zakkg3 commented Jan 24, 2025

pr #966 solves this issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zakkg3