Hi Reggie, Looking at your previous e-mail, you are having these errors because you used the same agent id/name into multiple systems. Even if they have the same IP, you need to give different ids/names. If you make this change and re-import all the keys, it should all work.
Regarding the communication, the client (agent) always connect using UDP port 1514 to the server and uses any high level local port (like any other application). Note that the agent does not bind to these local ports... If you want to configure a firewall between them, just open dst port 1514 and keep the state. http://www.ossec.net/wiki/index.php/Errors:AgentCommunication *You can also change the port 1514, by specifying the "port" tag. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 7/26/07, Reggie Griffin <[EMAIL PROTECTED]> wrote: > > Daniel, > > Thanks, that was very helpful. Anyway to hardcode the UDP port that > client communicates > to the server with? Looks like a random port in the 50000s. > > Snippet from tcpdump. > > 11:24:50.443020 IP ossec.server.1514 > loadbalance.54244: UDP, length 73 > > Being able to lock that to one port would be very helpful. > > -Reggie > > Daniel Cid wrote: > > Hi Reggie, > > > > OSSEC should work with systems behind a load balancer, but you must > > give a different > > agent name and agent id for each one of them (even though the ip > > address is the same -- > > like 101/30 that you gave). > > > > That entry in the wiki can be of help: > > http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs > > > > If doesn't solve your problem, can you show us your server and agent logs? > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 7/25/07, Reggie Griffin <[EMAIL PROTECTED]> wrote: > > > >> Hello, > >> > >> Been using OSSEC for a while now, and I must say that it's an awesome > >> tool. Many thanks. > >> > >> To my question: > >> > >> Does anyone have advice on how to use the Active Response with systems > >> sitting behind a load > >> balancer? We have 3 systems with OSSEC installed that are setup as the > >> same agent as far as the > >> OSSEC server knows. > >> > >> An example from manage_agents. > >> > >> ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30 > >> > >> The logging seems to work fine, but the clients can't connect to the > >> queues on the server. > >> > >> 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not > >> accessible. > >> 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active > >> response queue. > >> 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server. > >> > >> I am not sure I approached this correctly, or if there is an easier way > >> to accomplish this. Should I > >> just install OSSEC with individual local only installs? If so, is there > >> a way to accomplish the centralized > >> logging part(which I like a lot), and have the rest of the OSSEC install > >> only be concerned with managing > >> that one host(most importantly, the Active Response)? > >> > >> Any thoughts? > >> > >> -Reggie > >> > >> > >> > >> > >> > >> > > > > >
