The <local_ip> I was trying was the IP attached to the eth0:0 interface. And yes, I restarted both the server and clients.
I just tried entering 0.0.0.0. When starting ossec: 2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address: '0.0.0.0'. 2009/03/17 08:43:45 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2009/03/17 08:43:45 ossec-remoted(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. I found someone else having a similar problem: http://groups.google.com/group/ossec-list/browse_thread/thread/3cc3390d5ad19a24/b2c16a478b9a97a1?lnk=gst&q=local_ip#b2c16a478b9a97a1 It sounds like Daniel Cid, a developer, I presume, was going to take a look at this in Oct 2007 (v1.5) but this is still a problem. For some reason, it looks like ossec is not looking at the incoming DST IP from the clients and using that as the SRC IP when responding. I am sure my situation of using a floating IP is quite common - can anyone say that they've used virtual interfaces successfully, first hand? On Mar 16, 7:42 pm, Christopher <[email protected]> wrote: > What IP did you specify with that option? I would assume setting 0.0.0.0 > would allow OSSEC to listen on any IP address. You are restarting the > server after you make these changes, right? > > On Mon, Mar 16, 2009 at 3:40 PM, Mark C <[email protected]> wrote: > > > Oh, I tried the <local_ip> option specified here: > >http://www.ossec.net/main/manual/configuration-options/#remote_options > > > <remote> > > <connection>syslog</connection> > > <local_ip>xxx.xxx.xxx.xxx</local_ip> > > </remote> > > > And it did not work even after restarting. > > > On Mar 16, 2:54 pm, Mark C <[email protected]> wrote: > > > Hi all, > > > > I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system. > > > It's part of a simple cluster where there's a floating IP, eth0:0. I > > > setup 2 agents, and during the initial setup gave them the floating > > > IP. Here's what both saw in the logs: > > > > 2009/03/16 14:42:11 ossec-agentd(4101): WARN: Waiting for server reply > > > (not started). Tried: 'xxx.xxx.xxx.xxx'. > > > 2009/03/16 14:42:33 ossec-agentd: INFO: Trying to connect to server > > > (xxx.xxx.xxx.xxx:1514). > > > > I restarted the server and agents several times. > > > > Then on one of the agents, I changed the server IP in /var/ossec/etc/ > > > ossec.conf. I restarted the agent and when I ran /var/ossec/bin/ > > > list_agents -c on the server, I saw that it was connectd. > > > > I've searched for any file on the server that might let me specify > > > what IP or interface to listen on but I can't find anything. > > > Connectivity to the virtual interface, aside from OSSEC, works without > > > any problems whatsoever. > > > > The server and clients are on the same subnet. There are no firewalls > > > involved. > > > > I'm sure I'm missing something very simple :)
