When I used an address range (e.g. 192.168.1.0/24) I ended up with only one agent listed in the WUI - it didn't seem to like that I had multiple agents on the same network using the same address.
Rob -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Cid Sent: 18 March 2009 17:04 To: [email protected] Subject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server? Hi Rob, Can you describe what is breaking the wui? Using a network address range should work fine in there... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 17, 2009 at 11:06 AM, Rob Butterworth <[email protected]> wrote: > > I've got the problem in the other direction - I have client machines with > multiple virtual interfaces, and after a reboot the ossec agent binds to > different addresses, breaking agent->server comms. Switching to using a > network address range as the client address works for alerting, but breaks > the WUI, so I don't want to do that. A config option to force the agent to > use a specific IP would be better... > > Rob > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Mark C > Sent: 17 March 2009 13:47 > To: ossec-list > Subject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server? > > > The <local_ip> I was trying was the IP attached to the eth0:0 > interface. And yes, I restarted both the server and clients. > > I just tried entering 0.0.0.0. When starting ossec: > > 2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address: > '0.0.0.0'. > 2009/03/17 08:43:45 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2009/03/17 08:43:45 ossec-remoted(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > I found someone else having a similar problem: > http://groups.google.com/group/ossec-list/browse_thread/thread/3cc3390d5ad19a24/b2c16a478b9a97a1?lnk=gst&q=local_ip#b2c16a478b9a97a1 > > It sounds like Daniel Cid, a developer, I presume, was going to take a > look at this in Oct 2007 (v1.5) but this is still a problem. For some > reason, it looks like ossec is not looking at the incoming DST IP from > the clients and using that as the SRC IP when responding. > > I am sure my situation of using a floating IP is quite common - can > anyone say that they've used virtual interfaces successfully, first > hand? > > On Mar 16, 7:42 pm, Christopher <[email protected]> wrote: >> What IP did you specify with that option? I would assume setting 0.0.0.0 >> would allow OSSEC to listen on any IP address. You are restarting the >> server after you make these changes, right? >> >> On Mon, Mar 16, 2009 at 3:40 PM, Mark C <[email protected]> wrote: >> >> > Oh, I tried the <local_ip> option specified here: >> >http://www.ossec.net/main/manual/configuration-options/#remote_options >> >> > <remote> >> > <connection>syslog</connection> >> > <local_ip>xxx.xxx.xxx.xxx</local_ip> >> > </remote> >> >> > And it did not work even after restarting. >> >> > On Mar 16, 2:54 pm, Mark C <[email protected]> wrote: >> > > Hi all, >> >> > > I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system. >> > > It's part of a simple cluster where there's a floating IP, eth0:0. I >> > > setup 2 agents, and during the initial setup gave them the floating >> > > IP. Here's what both saw in the logs: >> >> > > 2009/03/16 14:42:11 ossec-agentd(4101): WARN: Waiting for server reply >> > > (not started). Tried: 'xxx.xxx.xxx.xxx'. >> > > 2009/03/16 14:42:33 ossec-agentd: INFO: Trying to connect to server >> > > (xxx.xxx.xxx.xxx:1514). >> >> > > I restarted the server and agents several times. >> >> > > Then on one of the agents, I changed the server IP in /var/ossec/etc/ >> > > ossec.conf. I restarted the agent and when I ran /var/ossec/bin/ >> > > list_agents -c on the server, I saw that it was connectd. >> >> > > I've searched for any file on the server that might let me specify >> > > what IP or interface to listen on but I can't find anything. >> > > Connectivity to the virtual interface, aside from OSSEC, works without >> > > any problems whatsoever. >> >> > > The server and clients are on the same subnet. There are no firewalls >> > > involved. >> >> > > I'm sure I'm missing something very simple :) > > - > Any views expressed in this message are those of the individual sender, > except where specifically stated to be the view of the Company, its > subsidiaries or associates. When addressed to our customers, any opinions or > advice contained in this eMail are subject to the relevant Company terms of > business. The Company reserves the right to monitor all email communications > through its internal and external networks. NOTICE: This eMail is intended > solely for the named recipient only. It may contain privileged and/or > confidential information. If you are not one of the intended recipients, > please notify the sender immediately, and destroy this eMail; you must not > copy, distribute or take any action in reliance upon it. Whilst all efforts > are made to safeguard Inbound and Outbound eMails, the Company cannot > guarantee that attachments are Virus-free or compatible with your systems and > does not accept any liability in respect of viruses or computer problems > experienced. > IMPORTANT: Credit Card Details should not be sent to the Company by email. > - Any views expressed in this message are those of the individual sender, except where specifically stated to be the view of the Company, its subsidiaries or associates. When addressed to our customers, any opinions or advice contained in this eMail are subject to the relevant Company terms of business. The Company reserves the right to monitor all email communications through its internal and external networks. NOTICE: This eMail is intended solely for the named recipient only. It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately, and destroy this eMail; you must not copy, distribute or take any action in reliance upon it. Whilst all efforts are made to safeguard Inbound and Outbound eMails, the Company cannot guarantee that attachments are Virus-free or compatible with your systems and does not accept any liability in respect of viruses or computer problems experienced. IMPORTANT: Credit Card Details should not be sent to the Company by email.
