search

wazuh / wazuh-docker

Wazuh - Docker containers
https://wazuh.com
Other
618 stars 341 forks source link

How to remove agent with Wazuh Docker Single-node deployment using CLI? #1336

Closed cmonty14 closed 2 months ago

cmonty14 commented 2 months ago

Hi, I completed Wazuh Docker Single-node deployment successfully. And I connected some agents.

However I cannot remove an agent using CLI simply because I cannot find program /var/ossec/bin/manage_agents.

Can you please advise how to proceed?

THX

rauldpm commented 2 months ago

Hi @cmonty14

For your information, when you answer this issue next time, I will proceed to move it to the wazuh-docker repository since that is where the deployment of wazuh docker is managed, if not, the issue will be moved to the wazuh-docker repository when closing it

Regarding your problem, I have not been able to reproduce it, how are you trying to execute the command?

Keep in mind that Wazuh manager is installed inside a container, so you must reference said container, in the case of a single docker deployment, you can do it using docker exec:

╰─➤  docker exec -it single-node-wazuh.manager-1 ls -l /var/ossec/bin/manage_agents
-rwxr-x--- 1 root root 448192 Apr 25 10:01 /var/ossec/bin/manage_agents

╰─➤  docker exec -it single-node-wazuh.manager-1 /var/ossec/bin/manage_agents -h

Wazuh v4.7.4 - Wazuh Inc. (info@wazuh.com)
http://www.wazuh.com
  manage_agents -[Vhlj] [-a <ip> -n <name>] [-F sec] [-e id] [-r id] [-i id] [-f file]
    -V          Version and license message.
    -h          This help message.
    -j          Use JSON output.
    -l          List available agents.
    -L          Disable agents limit.
    -a <ip>     Add new agent.
    -n <name>   Name for new agent.
    -e <id>     Extracts key for an agent (Manager only).
    -r <id>     Remove an agent (Manager only).
    -i <key>    Import authentication key (Agent only).
    -R <sec>    Replace agents that were registered at least <sec> seconds.
    -D <sec>    Replace agents that were disconnected at least <sec> seconds.
    -f <file>   Bulk generate client keys from file (Manager only).
                <file> contains lines in IP,NAME format.

Another option is to access the container directly, you can do this with the following command:

╰─➤  docker exec -it single-node-wazuh.manager-1 bash                              
root@wazuh:/# /var/ossec/bin/manage_agents -h

Wazuh v4.7.4 - Wazuh Inc. (info@wazuh.com)
http://www.wazuh.com
  manage_agents -[Vhlj] [-a <ip> -n <name>] [-F sec] [-e id] [-r id] [-i id] [-f file]
    -V          Version and license message.
    -h          This help message.
    -j          Use JSON output.
    -l          List available agents.
    -L          Disable agents limit.
    -a <ip>     Add new agent.
    -n <name>   Name for new agent.
    -e <id>     Extracts key for an agent (Manager only).
    -r <id>     Remove an agent (Manager only).
    -i <key>    Import authentication key (Agent only).
    -R <sec>    Replace agents that were registered at least <sec> seconds.
    -D <sec>    Replace agents that were disconnected at least <sec> seconds.
    -f <file>   Bulk generate client keys from file (Manager only).
                <file> contains lines in IP,NAME format.
root@wazuh:/#

If you are executing the CLI commands as is, you are possibly executing them on your host and not on the node where the Wazuh manager is installed

It would also be necessary for you to share the version of Wazuh used to perform the deployment. In my example, I have used the wazuh-docker tag v4.7.4 since it is the latest version released.

cmonty14 commented 2 months ago

I cannot reproduce the issue, too. I remember that I entered the container with docker exec -it single-node-wazuh.manager-1 bash, however I cannot remember why I didn't find the binary. Anyway, with your help I'm able to remove an agent using CLI.