Hi Mark, If you don't specify a local_ip in the config, it will bind to all the interfaces. What I am thinking is that you are having a routing issue, where ip A is receiving the events from the agent, but with a route configure to reply with ip B. Can you run tcpdump on both ends (and netstat -uanep) to see what is going on?
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 17, 2009 at 10:46 AM, Mark C <[email protected]> wrote: > > The <local_ip> I was trying was the IP attached to the eth0:0 > interface. And yes, I restarted both the server and clients. > > I just tried entering 0.0.0.0. When starting ossec: > > 2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address: > '0.0.0.0'. > 2009/03/17 08:43:45 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2009/03/17 08:43:45 ossec-remoted(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > I found someone else having a similar problem: > http://groups.google.com/group/ossec-list/browse_thread/thread/3cc3390d5ad19a24/b2c16a478b9a97a1?lnk=gst&q=local_ip#b2c16a478b9a97a1 > > It sounds like Daniel Cid, a developer, I presume, was going to take a > look at this in Oct 2007 (v1.5) but this is still a problem. For some > reason, it looks like ossec is not looking at the incoming DST IP from > the clients and using that as the SRC IP when responding. > > I am sure my situation of using a floating IP is quite common - can > anyone say that they've used virtual interfaces successfully, first > hand? > > On Mar 16, 7:42 pm, Christopher <[email protected]> wrote: >> What IP did you specify with that option? I would assume setting 0.0.0.0 >> would allow OSSEC to listen on any IP address. You are restarting the >> server after you make these changes, right? >> >> On Mon, Mar 16, 2009 at 3:40 PM, Mark C <[email protected]> wrote: >> >> > Oh, I tried the <local_ip> option specified here: >> >http://www.ossec.net/main/manual/configuration-options/#remote_options >> >> > <remote> >> > <connection>syslog</connection> >> > <local_ip>xxx.xxx.xxx.xxx</local_ip> >> > </remote> >> >> > And it did not work even after restarting. >> >> > On Mar 16, 2:54 pm, Mark C <[email protected]> wrote: >> > > Hi all, >> >> > > I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system. >> > > It's part of a simple cluster where there's a floating IP, eth0:0. I >> > > setup 2 agents, and during the initial setup gave them the floating >> > > IP. Here's what both saw in the logs: >> >> > > 2009/03/16 14:42:11 ossec-agentd(4101): WARN: Waiting for server reply >> > > (not started). Tried: 'xxx.xxx.xxx.xxx'. >> > > 2009/03/16 14:42:33 ossec-agentd: INFO: Trying to connect to server >> > > (xxx.xxx.xxx.xxx:1514). >> >> > > I restarted the server and agents several times. >> >> > > Then on one of the agents, I changed the server IP in /var/ossec/etc/ >> > > ossec.conf. I restarted the agent and when I ran /var/ossec/bin/ >> > > list_agents -c on the server, I saw that it was connectd. >> >> > > I've searched for any file on the server that might let me specify >> > > what IP or interface to listen on but I can't find anything. >> > > Connectivity to the virtual interface, aside from OSSEC, works without >> > > any problems whatsoever. >> >> > > The server and clients are on the same subnet. There are no firewalls >> > > involved. >> >> > > I'm sure I'm missing something very simple :) >
