We're trying to utilize the new auto-keying daemon introduced in 2.6 beta for the purpose of quickly registering about 100 clients in OSSEC. However, in testing it out using the instructions on the blog, we've discovered that when the clients register themselves with this method, the new entry on the server-side doesn't show an IP associated with the new entry. Instead, the IP field is shown simply as "any". Is there a way to force this process to instead use the incoming IP from the client that the server sees when registering the new node? We very frequently have to search our OSSEC results in Splunk, and if the client IP is going to be "any" for all nodes registered with this method, that makes it almost useless.
Hopefully there's some sort of option or config setting that I'm missing when launching the daemon, one which might enable the registration of the IP address on the OSSEC server? Less important, but still a bit annoying: is there a way to make the auto-keying daemon use the next actual node number instead of for some reason defaulting to 1024 for the first host registered? If we go through the manual keying process, the next host would've been 228, but the very first one registered with the auto-key daemon had a node number of 1024. I'm assuming this is a hard coded default somewhere? Any way to make it read the next value that should be used based on the value of "client.keys" instead? Thanks in advance for any replies on these questions.
