On Thu, Mar 11, 2010 at 9:30 PM, oscar schneider <[email protected]> wrote: > I had the following scenario today: > > A host (myPC) with a fixed IP (MAC adress based DHCP) has two > different operating systems installed, Windows XP and Linux (Kernel > 2.6). > > I have one OSSEC server. I installed a Linux agent on myPC and > registered it on the server with the name myPC-linux and id 002 and > its fixed IP, imported the key to my Linux agent and everything worked > fine. Today I tried to install a OSSEC agent on my Windows XP. > Installation worked fine. > I registered that host with the name myPC-winxp and id 003 on the > OSSEC server. > OSSEC Server IP was entered correctly on the win agent. > > After restarting the server and importing the key, the win agent > logged the following a couple of times: > > ossec-agent: INFO: Trying to connect to server > ossec-agent WARN: Waiting for server reply (not started) > > And the server logged > ossec-remoted): ERROR: Incorrectly formated message from [myPC's IP > adress] > all the time. > > I assumed that the server was only expecting messages encrypted with > the key of myPC-linux from the IP of myPC. Then I pasted the key of > myPC-linux into the windows agent. > > The agent logged the same thing as before, and the server logged the > following: > ossec-remoted: WARN: Duplicate error: global: 0, local: 38, saved > global: 40, saved local:6723 > and > ossec-remoted(1407): ERROR: Duplicated counter for 'myPC-linux'. > > This is kind of obvious since the counter for my linux agent was way > higher than the one for the win agent. However it seems like the > server could decrypt the messages correctly (since it expect the myPC- > linux key from my IP). > > After that I removed the line for myPC-linux from the servers > client.keys and pasted the myPC-winxp key into the Windows agent and > restarted the ossec server. > > Finally the connection worked. > > Of course after rebooting and starting my Linux again, the Linux agent > couldnt connect and the server once more logged incorrectly formatted > messages from my IP. > > Pasting the myPC-linux key into the servers client.keys and restarting > it again worked fine. > > > So I now have the following assumptions: > 1) The server links incoming connections by its IP to an agent in > client.keys > 2) If there are multiple hosts registered with the server with a fixed > IP adress, the server will always assume the one showing up in > client.keys first is the agent trying to connect. > 3) The only solutions to avoid a conflict is running separate servers > for each agent with the same host IP or using a dynamic IP adress > range for both (e.g. 192.168.2.0/24). > > Are these assumptions right? > Would using a fixed IP for myPC-linux and a dynamic one for myPC-winxp > work? > Would using a dynamic IP for myPC-linux and a fixed one for myPC-winxp > work? > > Kind regards, > > Oscar >
Your assumptions look basically correct. Just use '192.168.2.0/24' for one (or both) of the agents and you should be fine.
