Confusion surrounding how to register agents

[dragospe]

I am having some difficulty understanding how to register agents using the ansible-wazuh-agent role. I managed to work around the problem (and subsequently forgot what I did to do so), but I'd like to understand what the original intention was, and hopefully add these to the documentation.

There's a good chance I'm just misunderstanding something fundamental, but I would appreciate it if someone could help troubleshoot and subsequently review my edits to the docs.

---

I modified the example playbook to my environment:

- hosts: agents
  roles:
    - ../roles/wazuh/ansible-wazuh-agent
  vars:
    wazuh_managers:
      - address: 192.168.122.6
        port: 1514
        protocol: tcp
        api_port: 55000
        api_proto: 'http'
        api_user: ansible
    wazuh_agent_authd:
      registration_address: 192.168.122.6
      enable: true
      port: 1515
      ssl_agent_ca: null
      ssl_auto_negotiate: 'no'

but running this gives me

TASK [../roles/wazuh/ansible-wazuh-agent : Linux | Register agent (via authd)] ***
fatal: [gitea.test]: FAILED! => {"msg": "The conditional check 'not check_keys.stat.exists or check_keys.stat.size == 0' failed. The error was: error while evaluating conditional (not check_keys.stat.exists or check_keys.stat.size == 0): 'dict object' has no attribute 'stat'\n\nThe error appears to be in '/home/pdragos/ansible/arctan_ansible/wazuh-ansible/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml': line 83, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: Linux | Register agent (via authd)\n      ^ here\n"}

Putting in a debug statement before that task shows:

TASK [../roles/wazuh/ansible-wazuh-agent : debug] ******************************
ok: [gitea.test] => {
    "check_keys": {
        "changed": false,
        "skip_reason": "Conditional result was False",
        "skipped": true
    }
}
ok: [nc.test] => {
    "check_keys": {
        "changed": false,
        "skip_reason": "Conditional result was False",
        "skipped": true
    }
}

Which makes sense, because the following task only checks when wazuh_agent_config.enrollment.enabled == 'yes':

- name: Linux | Check if client.keys exists
  stat: path=/var/ossec/etc/client.keys
  register: check_keys
  when: wazuh_agent_config.enrollment.enabled == 'yes'
  tags:
    - config

This variable doesn't seem to be listed in the variables reference, but I tried setting it to yes in the playbook anyways. The playbook runs through without error, but no agents are registered.

Taking a look at roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml, we see that the block "Linux | Agent registration via authd" only runs when:

when:
    - wazuh_agent_authd.enable
    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'

and the block "Linux | Agent registration via rest-API" only runs when

  when:
    - not wazuh_agent_authd.enable
    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'

Which leads me to wonder what the variable wazuh_agent_config.enrollment.enabled actually means. Is it:

1.) A variable indicating that the agent is already enabled, which is why it skips registration?
2.) A variable indicating that the agents should be enabled?

Either way, I'm confused about what set of options was intended by the developer.

[Zenidd]

Hi @dragospe,

first of all, thank you for taking the time to write such a nice described issue.

but I'd like to understand what the original intention was, and hopefully add these to the documentation.

Sure, let me explain the differences between the current and the previous playbook structure and variables:

wazuh-agent role and agents registration in Wazuh 3.x

• In Wazuh 3.x, agents should be manually registered after install (they didn't have any auto-register feature). It was done through the agent-auth binary or the API method.
• wazuh-agent role used the agent-auth option by default. The hereunder v3.13.2 wazuh-agent example playbook contains the authd section:

 vars: 
   wazuh_managers: 
     - address: <your manager IP> 
       port: 1514 
       protocol: udp 
       api_port: 55000 
       api_proto: 'http' 
       api_user: ansible 
       max_retries: 5 
       retry_interval: 5 
   wazuh_agent_authd: 
     registration_address: <registration IP> 
     enable: true 
     port: 1515 
     ssl_agent_ca: null 
     ssl_auto_negotiate: 'no' 

wazuh_managers.address: the IP here will be the one the agent ossec.conf, and the one the agent will report to.
wazuh_agent_authd.registration_address the agent will try to register against this address.

wazuh-agent role and agents registration in Wazuh 4.x

• Since Wazuh 4.0, by default, the agent registers automatically with the manager through enrollment.
• wazuh-agent role now uses enrollment by default. We added related variables.
• The current wazuh-agent v4.0.1 example playbook has no authd related section

- hosts: <your wazuh agents hosts>
  roles:
    - ../roles/wazuh/ansible-wazuh-agent
  vars:
    wazuh_managers:
      - address: <your manager IP>
        port: 1514
        protocol: tcp
        api_port: 55000
        api_proto: 'http'
        api_user: ansible
        max_retries: 5
        retry_interval: 5

OK, but the current wazuh-agent playbook is not working

• Apart from all this, using the default playbook causes a registration error. This is due to the enrollment enable variable having an empty string value:
  

  wazuh-ansible/roles/wazuh/ansible-wazuh-agent/defaults/main.yml

  Lines 91 to 92 in 6e72daa

  	wazuh_agent_enrollment:
  	enabled: ''

Setting enrollment to yes in the default values or in the wazuh-agent playbook leads to a smooth deployment with no errors. We are opening a PR setting the default to this proper value.

another issue on agents registrations

After checking that enrollment works I disabled it and tried the agent-auth method. It threw an error related to the registration verification. After some tests, I realized that the output for agent-auth has changed and the string we checked for Valid key created has turned into Valid key received. The PR related to this issue will also include that fix.

OLD agent-auth logs:

[root@agent-client-1 vagrant]# /var/ossec/bin/agent-auth  -m 172.16.0.101 -p 1515       
2020/11/20 12:12:22 agent-auth: INFO: Started (pid: 15513).
2020/11/20 12:12:22 agent-auth: INFO: Starting enrollment process to server: 172.16.0.101
2020/11/20 12:12:22 agent-auth: INFO: Connected to 172.16.0.101:1515
2020/11/20 12:12:22 agent-auth: INFO: Registering agent to unverified manager.
2020/11/20 12:12:22 agent-auth: INFO: No authentication password provided.
2020/11/20 12:12:22 agent-auth: INFO: Using agent name as: agent-client-1
2020/11/20 12:12:22 agent-auth: INFO: Request sent to manager
2020/11/20 12:12:22 agent-auth: INFO: Waiting for manager reply
2020/11/20 12:12:22 agent-auth: INFO: Received response with agent key
2020/11/20 12:12:22 agent-auth: INFO: Valid key created. Finished.
2020/11/20 12:12:22 agent-auth: INFO: Connection closed.

Current agent-auth logs:

[root@agent-client-1 vagrant]# /var/ossec/bin/agent-auth  -m 172.16.0.101 -p 1515       
2020/11/20 12:12:55 agent-auth: INFO: Started (pid: 16407).
2020/11/20 12:12:55 agent-auth: INFO: Requesting a key from server: 172.16.0.101
2020/11/20 12:12:55 agent-auth: INFO: No authentication password provided
2020/11/20 12:12:55 agent-auth: INFO: Using agent name as: agent-client-1
2020/11/20 12:12:55 agent-auth: INFO: Waiting for server reply
2020/11/20 12:12:55 agent-auth: INFO: Valid key received

Seems like we should review the examples on https://documentation.wazuh.com/4.0/deploying-with-ansible/roles/wazuh-agent.html. Also your edit on wazuh/wazuh-documentation#3138 seems ok to me, thanks !

I hope it helps. Greetings,

JP

[dragospe]

Thanks for your help JP!

Unfortunately, this doesn't seem to help.

As far as I can tell, there are two blocks in roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml that are related to registration.

First block (registering via authd)

The first, starting here registers via authd, but the conditional clause here only executes when

   -  wazuh_agent_authd.enable
    - not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'

so the suggested change of setting wazuh_agent_config.enrollment.enabled = 'yes' will not trigger this (as was expected).

Second block (registering via rest API)

The second block pertaining to registration starts here.

The conditions (starting here) are again

- not wazuh_agent_authd.enable
- not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'

so setting wazuh_agent_config.enrollment.enabled = 'yes' will not trigger this (unexpected??).

---

So on my system, while making the change to wazuh_agent_config.enrollment.enabled = 'yes' does indeed let the playbook run to it's conclusion without error, no agents are actually registered. In addition, fiddling with the conditional on line 190 to make it execute leads to other errors -- first that agent_name is an undefined variable, then that newagent_api has no attribute json, (...).

Are you seeing differently on your end?

Many thanks, again!

[Zenidd]

Hello again @dragospe,

Unfortunately, this doesn't seem to help.
As far as I can tell, there are two blocks in roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml that are related to registration.

Let's sort it out!

When enabling enrollment, both the first block (registering via authd) and the second block (registering via rest API) should be omitted. The registration is done automatically through the agent's internal enrollment feature.

That's why both blocks include the statement checking for the enrollment options to be disabled

- not wazuh_agent_config.enrollment.enabled | length > 0 or wazuh_agent_config.enrollment.enabled == 'no'

---

So on my system, while making the change to wazuh_agent_config.enrollment.enabled = 'yes' does indeed let the playbook run to it's conclusion without error, no agents are actually registered. In addition, fiddling with the conditional on line 190 to make it execute leads to other errors -- first that agent_name is an undefined variable, then that newagent_api has no attribute json, (...).

I think whether the playbook ended without errors the agents should have been registered by the enrollment feature.

I just tried deploying some agents into my lab environment using v4.0.1 wazuh-ansible tag. After setting wazuh_agent_config.enrollment.enabled = 'yes' the agents were deployed and registered with no issues and they were active on /var/ossec/bin/agent_control -l.

Could you try deploying the agent again using enrollment and, in case the agents keep failing to register, check the agent /var/ossec/logs/ossec.log?

cat /var/ossec/logs/ossec.log | grep "Requesting a key from server"
cat /var/ossec/logs/ossec.log | grep "INFO: Trying to connect to server"
cat /var/ossec/logs/ossec.log | grep server
cat /var/ossec/logs/ossec.log | grep ERROR

**The PR here enables enrollment by default. It also fixes other issues on registration tasks.

Let me know if it helps. Greetings,

JP

[dragospe]

Hi JP!

Thanks again for your response. I hadn't realized that there was a third way to register an agent, leading to some of my confusion! I'm new to Wazuh, so this is probably an oversight on my part.

Checking the logs on the agent revealed a misconfigured manager IP address in my playbooks -- I hadn't thought to check agent logs, since I wasn't seeing any registration-related tasks being executed! Fixing this IP makes everything go smoothly, as long as I specify each wazuh_agent_enrollment.agent_name in the inventory.

I'm looking through the docs, and it appears to be sparse on what this automatic enrollment process actually entails -- both from the ansible deployment side and from the technical side. Since the feature is relatively new, I'm assuming this is in the works -- I'd love to contribute to the write up if I have the time!