Problem to delete an agent

[EHRETic]

Hello,

I know it's not directly OSSEC, but I can probably solve that issue here with real specialists 😊

I've trouble deleting an agent on my Alienvault OSSIM server (which use OSSEC for some things). I've restaged an asset and I deleted it from the system but the agent remained on the server.

If I try to delete in web console, I get an error and it's probably not relevant yet but when I try the command _/var/ossec/bin/manageagents and give the (right) ID I get this error message: "** Invalid ID '026' given. ID is not present." (I tried both 026 & 26, but no difference)

Also, I can still spot it in the list with command _/var/ossec/bin/agentcontrol -l.

Any idea what I can do next to remove it? Any cleanup advice would be appreciated. Because of course now, I can't add a new agent nor push this agent to the asset again.

Thanks in advance and best regards 😉

[Galletero]

Hello, could you resolv this problem?? I have the same

[EHRETic]

Unfortunately not and this convinced me to move away from OSSIM which is probably not updating OSSEC that often and replaced it with Wazuh. Wazuh uses OSSEC too, but probably a more recent version and this runs smoothly since then.

[Galletero]

Hi, yesterday I found the solution or I believe that.

You need to edit this file /var/ossec/etc/client.keys You have to remove the lines of the agents that not exist and you could edit the number of the agent too.

I think that this solutions is well, in a future I will comment this Best Regards.

[EHRETic]

Hi,

I tested it on my former OSSIM appliance that I kept "just in case"... It seemed to work but I can't guaranty that system would be stable after that ! 😉

[aidanworth]

I have the same issue. I'll have to see how to edit that file.