Hi Rob, Can you describe what is breaking the wui? Using a network address range should work fine in there...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 17, 2009 at 11:06 AM, Rob Butterworth <[email protected]> wrote: > > I've got the problem in the other direction - I have client machines with > multiple virtual interfaces, and after a reboot the ossec agent binds to > different addresses, breaking agent->server comms. Switching to using a > network address range as the client address works for alerting, but breaks > the WUI, so I don't want to do that. A config option to force the agent to > use a specific IP would be better... > > Rob > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Mark C > Sent: 17 March 2009 13:47 > To: ossec-list > Subject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server? > > > The <local_ip> I was trying was the IP attached to the eth0:0 > interface. And yes, I restarted both the server and clients. > > I just tried entering 0.0.0.0. When starting ossec: > > 2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address: > '0.0.0.0'. > 2009/03/17 08:43:45 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2009/03/17 08:43:45 ossec-remoted(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > I found someone else having a similar problem: > http://groups.google.com/group/ossec-list/browse_thread/thread/3cc3390d5ad19a24/b2c16a478b9a97a1?lnk=gst&q=local_ip#b2c16a478b9a97a1 > > It sounds like Daniel Cid, a developer, I presume, was going to take a > look at this in Oct 2007 (v1.5) but this is still a problem. For some > reason, it looks like ossec is not looking at the incoming DST IP from > the clients and using that as the SRC IP when responding. > > I am sure my situation of using a floating IP is quite common - can > anyone say that they've used virtual interfaces successfully, first > hand? > > On Mar 16, 7:42 pm, Christopher <[email protected]> wrote: >> What IP did you specify with that option? I would assume setting 0.0.0.0 >> would allow OSSEC to listen on any IP address. You are restarting the >> server after you make these changes, right? >> >> On Mon, Mar 16, 2009 at 3:40 PM, Mark C <[email protected]> wrote: >> >> > Oh, I tried the <local_ip> option specified here: >> >http://www.ossec.net/main/manual/configuration-options/#remote_options >> >> > <remote> >> > <connection>syslog</connection> >> > <local_ip>xxx.xxx.xxx.xxx</local_ip> >> > </remote> >> >> > And it did not work even after restarting. >> >> > On Mar 16, 2:54 pm, Mark C <[email protected]> wrote: >> > > Hi all, >> >> > > I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system. >> > > It's part of a simple cluster where there's a floating IP, eth0:0. I >> > > setup 2 agents, and during the initial setup gave them the floating >> > > IP. Here's what both saw in the logs: >> >> > > 2009/03/16 14:42:11 ossec-agentd(4101): WARN: Waiting for server reply >> > > (not started). Tried: 'xxx.xxx.xxx.xxx'. >> > > 2009/03/16 14:42:33 ossec-agentd: INFO: Trying to connect to server >> > > (xxx.xxx.xxx.xxx:1514). >> >> > > I restarted the server and agents several times. >> >> > > Then on one of the agents, I changed the server IP in /var/ossec/etc/ >> > > ossec.conf. I restarted the agent and when I ran /var/ossec/bin/ >> > > list_agents -c on the server, I saw that it was connectd. >> >> > > I've searched for any file on the server that might let me specify >> > > what IP or interface to listen on but I can't find anything. >> > > Connectivity to the virtual interface, aside from OSSEC, works without >> > > any problems whatsoever. >> >> > > The server and clients are on the same subnet. There are no firewalls >> > > involved. >> >> > > I'm sure I'm missing something very simple :) > > - > Any views expressed in this message are those of the individual sender, > except where specifically stated to be the view of the Company, its > subsidiaries or associates. When addressed to our customers, any opinions or > advice contained in this eMail are subject to the relevant Company terms of > business. The Company reserves the right to monitor all email communications > through its internal and external networks. NOTICE: This eMail is intended > solely for the named recipient only. It may contain privileged and/or > confidential information. If you are not one of the intended recipients, > please notify the sender immediately, and destroy this eMail; you must not > copy, distribute or take any action in reliance upon it. Whilst all efforts > are made to safeguard Inbound and Outbound eMails, the Company cannot > guarantee that attachments are Virus-free or compatible with your systems and > does not accept any liability in respect of viruses or computer problems > experienced. > IMPORTANT: Credit Card Details should not be sent to the Company by email. >
