hi
this scenario working well ,you have to redirect the port.
on openbsd 4.8 you can do this like.
match in on wan_if proto tcp from any to (wan_if) port 1514 rdr-to
ossec-server port 1514
the (wan_if) is an option for the fw code to read the ip direct frrom
interface.
on linux for example
http://www.ehow.com/how_5323303_redirect-ports-using-linux-iptables.html
holger
On 02/23/2011 03:19 AM, Joel Brooks wrote:
Hi gang,
I'm wondering if there's any tricks to getting ossec working when the
server is behind a NAT.
here's the case:
i have some linode servers that i'd like to monitor with ossec.
the ossec server is in the office behind a NATting firewall.
the ossecn agent on the linode boxes is configured to use the public
IP on the default port (1514).
the firewall will translate the public IP to the internal (rfc 1918)
address, but don't change the port.
I'm trying to get the linode agents to be managed centrally, so the
only thing in the ossec.conf is the
<client>
<server-ip>1.2.3.4</server-ip>
</client>
stuff.
looking at the logs on the agent, I see these messages repeated many
times:
2011/02/22 03:25:33 ossec-agentd: INFO: Trying to connect to server
(gw.domain.com/1.2.3.4:1514).
2011/02/22 03:25:54 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: 'gw.domain.com/1.2.3.4'
and:
2011/02/22 20:58:25 ossec-agentd(1214): WARN: Problem receiving
message from 1.2.3.4.
When i stop/start the agent (on the linode systems), i get this:
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-agentd...
2011/02/22 21:15:05 ossec-logcollector(1905): INFO: No file configured
to monitor.
Started ossec-logcollector...
2011/02/22 21:15:05 ossec-syscheckd(1702): INFO: No directory provided
for syscheck to monitor.
bin/ossec-control: line 138: 9682 Segmentation fault ${DIR}/bin/$
{i}
any ideas how i can get this working?
Thanks,
J
