Wazuh-agent on sensors doesn't work out of the box

[stijnpieters]

As the title says, when installing a sensor node, the Wazuh agent is installed with it, but is not configured. Had to do manual configuration as explained in the docs.

Is this intended behavior or did something go wrong in my install?

[stijnpieters]

Found in /opt/so/saltstack/default/salt/wazuh/files/agent/ossec.conf that ossec server IP is set to sensor:mainip if node role == 'so-sensor', meaning it will send it's logs to itself

{%- elif grains['role'] == 'so-sensor' %}
{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
{%- endif %}

should 'sensor:mainip' be 'global:managerip'?

[weslambert]

The agent should have been automatically registered. Each Security Onion box runs it's own Wazuh manager. I'll have to test on my side.

[stijnpieters]

If I understand right, the manager is the container so-wazuh right? This isn't present on my 3 sensor nodes.
I saw some changes in the upcoming patch 2.3.3 to the script that does the registering, which might fix the registration part of my issue. However I'm still somewhat confused about the ossec.conf containing the sensor IP instead of the manager IP, because changing to manager IP actually fixed the problem.

[weslambert]

Correct. It the so-wazuh container should be present. The agent will get installed regardless. If Wazuh is not enabled, the agent will not be configured. It sounds like there is an issue with the Wazuh state for sensors. The change you made may have worked but is not the intended data flow/behavior. Sensor agents should communicate with their own Wazuh manager.

[stijnpieters]

I seem to have resolved the issue!
One of the layers of the so-wazuh docker image was broken, causing a "filesystem layer verification failed" error on pull on any host apart from the manager node.
I fixed this by removing the blob causing the error in the so-dockerregistry container and running so-docker-refresh after that.
remove the blob:
docker exec -it so-dockerregistry rm -r /var/lib/registry/docker/registry/v2/blobs/sha256/5e/5ea8e7a03ae378b53e166ac59c4705abe322c04712ed2c30a40f0122a747e2c8/
garbage collection:
docker exec -it so-dockerregistry /bin/registry garbage-collect /var/lib/registry/etc/config.yml
Re-retrieve the docker images (to replace the removed layer):
sudo so-docker-refresh
Re-apply highstate to start container and service on all nodes:
sudo salt \* state.highstate