Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong key or corrupt payload in worker node during agent registration process #21297

Closed
Rebits opened this issue Jan 9, 2024 · 1 comment
Closed

Wrong key or corrupt payload in worker node during agent registration process #21297

Rebits opened this issue Jan 9, 2024 · 1 comment
Labels
level/task type/bug Something isn't working

Comments

@Rebits
Copy link
Member

Rebits commented Jan 9, 2024
edited

Wazuh version Component Install type Install method Platform
4.7.1 Manager Packages Ubuntu 22

Detected in dev-14153-vulndet-refactor branch.

Description

It has been detected during #20914 an authentication error during agent registration.
This warnings seems to be a corner case appear after forcing master node stop and restart the worker node during an agent registration

2024/01/08 17:49:15 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '018' at 'any'.
2024/01/08 17:49:15 wazuh-remoted: WARNING: Decrypt the message fail, socket 28
2024/01/08 17:49:15 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2024/01/08 17:49:15 wazuh-syscheckd: INFO: FIM sync module started.
2024/01/08 17:49:17 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml'
2024/01/08 17:49:17 sca: INFO: Security Configuration Assessment scan finished. Duration: 9 seconds.
2024/01/08 17:49:20 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '018' at 'any'.
2024/01/08 17:49:20 wazuh-remoted: WARNING: Decrypt the message fail, socket 28
2024/01/08 17:49:25 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '018' at 'any'.
2024/01/08 17:49:25 wazuh-remoted: WARNING: Decrypt the message fail, socket 28

Also the following message appears for all the agents registered in the environment:

2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '002'
2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '003'
2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '004'
2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '005'
2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '006'
2024/01/09 11:16:03 wazuh-db: WARNING: The groups were empty right after the set for agent '007'

Agent was registered although these warnings were constantly generated in the worker node

In master node it was produced

2024/01/09 11:15:28 wazuh-authd: WARNING: Duplicate name 'ip-172-31-6-241.ec2.internal', rejecting enrollment. Agent '094' doesn't comply with the registration time to be removed.

Similarly to #20914

Steps to reproduce

  • Deploy and start a Wazuh manager cluster
  • Stop master node
  • Register and start the agent to the worker node
  • Immediately, after worker generate the Dispatching request to master node event in the worker, force restart the worker node, several times
  • Start master node
  • Check that warnings are been generated in the worker and master node after the restart

In order to achieve the restart step according to the specified timing it is recommended to use the provided python script in the worker node

Worker Force Restart Script 
import re
import subprocess
import time

log_file_path = '/var/ossec/logs/ossec.log'
pattern = r'Dispatching request to master node'

def check_and_restart_wazuh():
    found = 0
    while True:
        try:
            with open(log_file_path, 'r') as log_file:
                for line in log_file:
                    if re.search(pattern, line):
                        stop_command = "pkill -f wazuh"
                        subprocess.run(stop_command, shell=True)
                        restart_command = '/var/ossec/bin/wazuh-control restart'
                        subprocess.run(restart_command, shell=True)
                        print("Wazuh restarted successfully.")
                        found = found + 1
                        if found == 5:
                            break
            if found:
                break
        except FileNotFoundError:
            print(f"Error: Log file '{log_file_path}' not found.")

if __name__ == "__main__":
    check_and_restart_wazuh()

Evidences

EnvLogs.zip
@Rebits Rebits added type/bug Something isn't working level/task labels Jan 9, 2024
@Rebits Rebits mentioned this issue Jan 9, 2024
Closed
@santipadilla santipadilla mentioned this issue Feb 9, 2024
Closed
2 tasks
@QU3B1M QU3B1M mentioned this issue Feb 28, 2024
Closed
@Rebits Rebits mentioned this issue Mar 14, 2024
Closed
@MARCOSD4 MARCOSD4 mentioned this issue Mar 19, 2024
Closed
@TomasTurina
Copy link
Member

The modules involved will be refactored, so this issue will not be addressed.

@TomasTurina TomasTurina closed this as not planned Won't fix, can't repro, duplicate, stale Apr 16, 2024
@santipadilla santipadilla mentioned this issue May 6, 2024
Closed
@MARCOSD4 MARCOSD4 mentioned this issue May 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rebits @TomasTurina