Hi Tim, Not by default, but those are easy changes. For the source ip, just modify the call to OS_AddNewAgent to include the srcip instead of NULL ( on ./os_auth/main-server.c ) .
For the ids, it is set in there as well and you can modify to any other range you want. *I will make sure to work on these changes after 2.6 is out (or if anyone else is interested, good patch to work on :)). Thanks, On Mon, Jun 27, 2011 at 4:01 PM, Tim <[email protected]> wrote: > We're trying to utilize the new auto-keying daemon introduced in 2.6 > beta for the purpose of quickly registering about 100 clients in > OSSEC. However, in testing it out using the instructions on the blog, > we've discovered that when the clients register themselves with this > method, the new entry on the server-side doesn't show an IP associated > with the new entry. Instead, the IP field is shown simply as "any". Is > there a way to force this process to instead use the incoming IP from > the client that the server sees when registering the new node? We very > frequently have to search our OSSEC results in Splunk, and if the > client IP is going to be "any" for all nodes registered with this > method, that makes it almost useless. > > Hopefully there's some sort of option or config setting that I'm > missing when launching the daemon, one which might enable the > registration of the IP address on the OSSEC server? > > Less important, but still a bit annoying: is there a way to make the > auto-keying daemon use the next actual node number instead of for some > reason defaulting to 1024 for the first host registered? If we go > through the manual keying process, the next host would've been 228, > but the very first one registered with the auto-key daemon had a node > number of 1024. I'm assuming this is a hard coded default somewhere? > Any way to make it read the next value that should be used based on > the value of "client.keys" instead? > > Thanks in advance for any replies on these questions.
