Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify logs for agent authentication issues by Remoted #3662

Merged
merged 4 commits into from
Aug 16, 2019
Merged

Modify logs for agent authentication issues by Remoted #3662

merged 4 commits into from
Aug 16, 2019

Conversation

vikman90
Copy link
Member

@vikman90 vikman90 commented Jul 16, 2019
edited
Loading

This PR aims to clarify the logs that Remoted prints when it fails to authenticate an agent.

Warning 1404

The warning log 1404 appears when Remoted matches an agent (either by ID or IP) but it fails to decrypt the payload.

Causes

This is due to one of two reasons:

  1. The encryption key is wrong: the agent's client.keys file does not match any entry of the manager's client.keys.
  2. The input —encrypted— payload is corrupt.

Since both cases produce an invalid clear —decrypted— payload, they are undistinguisable.

Old logs

ossec-remoted: WARNING: (1404): Authentication error. Wrong key from '192.168.33.11'.

New log

ossec-remoted: WARNING: (1404): Authentication error. Wrong key from agent '001' at '192.168.33.11'.

Error 2202

This log appears when Remoted fails to uncompress an incoming message.

Causes

  1. The payload is not a valid OSSEC message.
  2. The encryption key is wrong.
  3. The original (uncompressed) string is larger than the maximum string size (currently, 64 KiB). This should not occur.

Old log

ossec-remoted: ERROR: (2202): Error uncompressing string.

New log

ossec-remoted: ERROR: (2202): Error uncompressing string. Incoming message from agent '001' at '192.168.33.11'.

Error 1406

Every message between the agent and the manager contains a checksum that verifies the message integrity. Remoted will print this error if the checksum won't match its message.

Causes

  1. The agent's password is wrong.
  2. The payload is corrupted due to an unknown reason.

Old log

ossec-remoted: ERROR: (1406): Checksum mismatch on message from 'any'.

New log

ossec-remoted: ERROR: (1406): Checksum mismatch on message from agent '002' at 'any'.

Warning 1213

This warning means that the agent is authenticating by incoming address IP instead of agent IP, and Remoted did not allow that IP.

Causes

An agent that was registered with an IP (instead of any or an IP range) won't send its ID. In this case, Remoted uses the client's source IP to allow or ban the agent.

Old log

ossec-remoted: WARNING: (1213): Message from '17.66.54.173' not allowed.

New log

ossec-remoted: WARNING: (1213): Message from '17.66.54.173' not allowed. Source agent ID is unknown.

Error 1242

This message appears when Remoted fails to open a connection with a new client (in TCP mode). In particular, this log is triggered by an error in the call system accept().

Causes

The list of errors that accept() may produce is described in it manpage. Unfortunately, Remoted did not include the description of the error.

Old log

ossec-remoted: CRITICAL: (1242): Couldn't accept TCP connections.

New log

ossec-remoted: CRITICAL: (1242): Couldn't accept TCP connections: No buffer space available (105)

Modified artifacts

  • Binary ossec-remoted.
  • Binary ossec-agentd.

Tests

  • Compile manager on Linux.
  • Compile agent on Linux.
  • Source installation on Debian 10 "Buster".
  • Review logs syntax and correct language.

Compatibility with older Wazuh versions

This change will impact any user that eventually parses the log file (ossec.log).

@vikman90 vikman90 changed the base branch from master to 3.10 July 16, 2019 08:34
@vikman90 vikman90 changed the base branch from 3.10 to 3.11 July 16, 2019 08:40
@vikman90 vikman90 changed the base branch from 3.11 to 3.10 July 16, 2019 08:40
@vikman90 vikman90 self-assigned this Jul 16, 2019
@vikman90 vikman90 modified the milestones: 29th week, 30th week Jul 16, 2019
@vikman90 vikman90 modified the milestones: 30th week, 31st week Jul 29, 2019
@vikman90 vikman90 modified the milestones: 31st week, 32nd week Aug 5, 2019
@vikman90 vikman90 mentioned this pull request Aug 9, 2019
Closed
3 tasks
@vikman90 vikman90 modified the milestones: 32nd week, 33rd week Aug 12, 2019
@snaow snaow merged commit 6fbba70 into 3.10 Aug 16, 2019
@snaow snaow deleted the 3.9-enckey-logs branch August 16, 2019 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snaow snaow snaow approved these changes

@chemamartinez chemamartinez Awaiting requested review from chemamartinez

Assignees

@vikman90 vikman90

Labels
module/remote reporter/operations type/enhancement New feature or request
Projects
None yet
Milestone
33rd week
Development

Successfully merging this pull request may close these issues.
2 participants
@vikman90 @snaow