Modify logs for agent authentication issues by Remoted #3662
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to clarify the logs that Remoted prints when it fails to authenticate an agent.
Warning 1404
The warning log 1404 appears when Remoted matches an agent (either by ID or IP) but it fails to decrypt the payload.
Causes
This is due to one of two reasons:
Since both cases produce an invalid clear —decrypted— payload, they are undistinguisable.
Old logs
New log
Error 2202
This log appears when Remoted fails to uncompress an incoming message.
Causes
Old log
New log
Error 1406
Every message between the agent and the manager contains a checksum that verifies the message integrity. Remoted will print this error if the checksum won't match its message.
Causes
Old log
New log
Warning 1213
This warning means that the agent is authenticating by incoming address IP instead of agent IP, and Remoted did not allow that IP.
Causes
An agent that was registered with an IP (instead of
any
or an IP range) won't send its ID. In this case, Remoted uses the client's source IP to allow or ban the agent.Old log
New log
Error 1242
This message appears when Remoted fails to open a connection with a new client (in TCP mode). In particular, this log is triggered by an error in the call system
accept()
.Causes
The list of errors that
accept()
may produce is described in it manpage. Unfortunately, Remoted did not include the description of the error.Old log
New log
Modified artifacts
Tests
Compatibility with older Wazuh versions
This change will impact any user that eventually parses the log file (ossec.log).