On Fri, Feb 17, 2012 at 5:59 PM, Ross Oliver <[email protected]> wrote: > Greetings, > > > I am having difficulty using the agent self-registration process using > ossec-authd and agent-auth utilities. I am using OSSEC 2.6 on CentOS 5. > > > When an agent registers, ossec-authd adds a new entry to the client.keys > file that has "any" in the IP address field. However, when the agent then > tries to talk to the ossec server, ossec-remoted rejects the IP address. > With ossec-remoted in debug mode, I see this message: > > > 2012/02/17 14:33:27 ossec-remoted(1213): WARN: Message from 10.3.16.192 not > allowed. > > > If I change "any" in the client.keys file to the agent's actual IP address, > then agent communication is successful. Could there be anything in my OSSEC > configuration that could be causing this rejection? I haven't been able to > find anything in the docs. >
Are you using an RPM or did you compile OSSEC? I've noticed this problem in some RPMs, but never with a proper installation. > > Since all my systems have fixed IP addresses. I would prefer that > ossec-authd put the actual IP address in the client.keys entry rather than > "any." Would it be reasonable to modify ossec-authd to have an option to do > this? > I'd like an option to do this. > > Thanks, > Ross Oliver >
