Hi Santiago, Upon looking at the source, I'm not actually sure this is really a feasible ask.
Looks like the client sends a hash of it's ID and key to the manager and the manager then compares that to a table of ID/key hashes. So the actual client ID is never sent in the message in a way that would permit the manager to enumerate the true ID. 114 <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> int _os_genhash <http://fossies.org/dox/ossec-hids-2.8.3/hash__op_8c.html#a59af72e305e0463ff084ce2bb41e5565> (OSHash <http://fossies.org/dox/ossec-hids-2.8.3/struct__OSHash.html> *self, char *key) 115 { 116 unsigned int hash_key = self->initial_seed; 117 118 /* What we have here is a simple polynomial hash. 119 * x0 * a^k-1 .. xk * a^k-k +1 120 */ 121 while(*key) 122 { 123 hash_key *= self->constant; 124 hash_key += *key; 125 key++; 126 } 127 128 return(hash_key); 129 } I might ask that the actual manager / ID failing hash be included in the error (or debug) log, that way we could "out of band" (not within OSSEC itself) attempt to identify client keys using an externalized key management process. Thanks for replying. Graeme On Tuesday, February 2, 2016 at 9:40:22 AM UTC-8, Santiago Bassett wrote: > > Hi Graeme, > > this is the message you refer to right? > > src/error_messages/error_messages.h:#define ENC_IP_ERROR "%s(1408): > ERROR: *Invalid ID* for the source ip: '%s'." > > Feel free to open issues in github for these type of requests. Just opened > one for this one. > > Best regards > > On Fri, Jan 29, 2016 at 9:26 AM, Graeme Stewart <[email protected] > <javascript:>> wrote: > >> Would it really be difficult to actually show the error remote host ID in >> the ossec.log? This would make identifying key mismatch so much easier. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
