search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
9.69k stars 1.53k forks source link

Agents fluctuating between active diconnectted and pending state #22661

Open karsht-icpl opened 3 months ago

karsht-icpl commented 3 months ago
Wazuh version Component Install type Install method Platform
4.7.0 Wazuh Agent All-in-One Packages Ubuntu 22.04

Hello team, Im Facing issue in one of the client that many agents are fluctuating form active to disconnected to pending, i am not able to troubleshoot the isse where is it occuring nor able to find any suspicious logs in wazuh agentauthd logs, we are using wazuh 4.7.0 and agents varying from 4.7.0 and 4.7.2 and using a powershell script to deploy in the environment attaching the screenshot below along with the script.

image

install_wazuh.txt Wazuh-Install.txt 3188)

the Inventory is of 1600 + agents.

Kindly help Best Regards, KarshTrivedi

Selutario commented 3 months ago

Hello @karsht-icpl,

Thanks for the report. The problem you mention looks very similar to this one:

It has been fixed in v4.7.3, by applying some improvements to the wazuh-db service to increase its performance. Here you can find the full release notes:

Please, try upgrading and let us know if everything works as expected after that.

karsht-icpl commented 3 months ago

Hello @Selutario,

Thanks for the update, while I'm updating the Wazuh, do I also need to check on anything on wazuh side? or maybe change the deployment script? I have a total inventory of more than 1500+ agents approx. and so deployment through scripting is the only way possible as it seems. so can you suggest / recommend if I need to change something to the given script? or maybe you can suggest a better script? would really appreciate that.

Edit As this seems to cause the conflict in database as I push the script on a subnet of endpoints to register on wazuh...

Thanks in advanced Karsh Trivedi

Selutario commented 3 months ago

In my opinion the script can be useful, although if you want to use a different method, you can opt for alternatives such as Puppet or Ansible:

By the way, you included the WAZUH_REGISTRATION_PASSWORD in the script, consider changing it if it is a public access server.

p4rseexp commented 1 month ago

@Selutario My original Wazuh version was 4.3.x. After upgrading to 4.7.4 and pushing all agents to 4.7.4 via the API, I encountered the same issue as this issue. I also tried upgrading to 4.7.5 after its release, but the problem still persists. Please help, thank you!