Short answer:
Either install one machine as the ossec server of the segment or
use syslog and do not install ossec-clients on the nated network.
Long explanation:
If you are running ossec on clients behind a nated connection then the ossec-server/client chat will fail when ever the server is trying to access a different client.
As the best of my knowledge, (please correct me) the server is choosing the key to decript the message according to the sender IP, and then agan if you have multiple clients from same IP , the server will choose allways the same key ( I should read the sources to tell if it will be the first on e or the last one).
The idea of having each client report using a different encryption is to avoid man in the middle attacks, DoS, false alarms and unauthorized reading of traffic. The problem with the current implementation is that fails in scenarios where the agents have dynamic IP. Another limitation of the two ways protocol between server and clients is that
multiple agents can not report using ossec protocol when they are behind a nated IP.
Possible solutions and workarrounds:
Use a header in the packet payload before the encrypted data pointing to the encryption key id.
Setup an ossec-proxy server ( to be built)
Set a local ossec server per network segment
On 10/19/06, HiT <
[EMAIL PROTECTED]> wrote:
Hi,
I'd like to know if there is any workaround for the issue of having
multiple agents with the same ip causing those 'incorrectly formatted
message' errors in the ossec logs. I have a remote ossec server which
has some windows agents reporting into it from another location, but
because they all are behind the same router they have the same ip
address. For various reasons, it's not possible for me to put the ossec
server on the inside of that network, so the next best thing was to have
the agents report outside to a remote server. But it only works if there
is just one agent from that ip.
One way I can think of is to keep a permanent vpn tunnel
established between the ossec server and the router with the windows
agents behind it, that way they will have unique private ip addresses,
but is there a simpler way to go about this? Any suggestions are
welcome, so don't be shy! ;)
