I had the following scenario today: A host (myPC) with a fixed IP (MAC adress based DHCP) has two different operating systems installed, Windows XP and Linux (Kernel 2.6).
I have one OSSEC server. I installed a Linux agent on myPC and registered it on the server with the name myPC-linux and id 002 and its fixed IP, imported the key to my Linux agent and everything worked fine. Today I tried to install a OSSEC agent on my Windows XP. Installation worked fine. I registered that host with the name myPC-winxp and id 003 on the OSSEC server. OSSEC Server IP was entered correctly on the win agent. After restarting the server and importing the key, the win agent logged the following a couple of times: ossec-agent: INFO: Trying to connect to server ossec-agent WARN: Waiting for server reply (not started) And the server logged ossec-remoted): ERROR: Incorrectly formated message from [myPC's IP adress] all the time. I assumed that the server was only expecting messages encrypted with the key of myPC-linux from the IP of myPC. Then I pasted the key of myPC-linux into the windows agent. The agent logged the same thing as before, and the server logged the following: ossec-remoted: WARN: Duplicate error: global: 0, local: 38, saved global: 40, saved local:6723 and ossec-remoted(1407): ERROR: Duplicated counter for 'myPC-linux'. This is kind of obvious since the counter for my linux agent was way higher than the one for the win agent. However it seems like the server could decrypt the messages correctly (since it expect the myPC- linux key from my IP). After that I removed the line for myPC-linux from the servers client.keys and pasted the myPC-winxp key into the Windows agent and restarted the ossec server. Finally the connection worked. Of course after rebooting and starting my Linux again, the Linux agent couldnt connect and the server once more logged incorrectly formatted messages from my IP. Pasting the myPC-linux key into the servers client.keys and restarting it again worked fine. So I now have the following assumptions: 1) The server links incoming connections by its IP to an agent in client.keys 2) If there are multiple hosts registered with the server with a fixed IP adress, the server will always assume the one showing up in client.keys first is the agent trying to connect. 3) The only solutions to avoid a conflict is running separate servers for each agent with the same host IP or using a dynamic IP adress range for both (e.g. 192.168.2.0/24). Are these assumptions right? Would using a fixed IP for myPC-linux and a dynamic one for myPC-winxp work? Would using a dynamic IP for myPC-linux and a fixed one for myPC-winxp work? Kind regards, Oscar
