Hi Joel,
On Tue, Feb 22, 2011 at 9:19 PM, Joel Brooks <[email protected]> wrote:
> Hi gang,
>
> I'm wondering if there's any tricks to getting ossec working when the
> server is behind a NAT.
>
> here's the case:
>
> i have some linode servers that i'd like to monitor with ossec.
> the ossec server is in the office behind a NATting firewall.
> the ossecn agent on the linode boxes is configured to use the public
> IP on the default port (1514).
> the firewall will translate the public IP to the internal (rfc 1918)
> address, but don't change the port.
>
> I'm trying to get the linode agents to be managed centrally, so the
> only thing in the ossec.conf is the
>
> <client>
> <server-ip>1.2.3.4</server-ip>
> </client>
>
> stuff.
>
> looking at the logs on the agent, I see these messages repeated many
> times:
>
> 2011/02/22 03:25:33 ossec-agentd: INFO: Trying to connect to server
> (gw.domain.com/1.2.3.4:1514).
> 2011/02/22 03:25:54 ossec-agentd(4101): WARN: Waiting for server reply
> (not started). Tried: 'gw.domain.com/1.2.3.4'
>
> and:
>
> 2011/02/22 20:58:25 ossec-agentd(1214): WARN: Problem receiving
> message from 1.2.3.4.
>
Is the traffic getting to the manager? tcpdump can help you determine that.
Also, if the traffic is getting there, check the logs on the manager
for anything about this remote agent.
> When i stop/start the agent (on the linode systems), i get this:
>
> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> Started ossec-execd...
> Started ossec-agentd...
> 2011/02/22 21:15:05 ossec-logcollector(1905): INFO: No file configured
> to monitor.
> Started ossec-logcollector...
> 2011/02/22 21:15:05 ossec-syscheckd(1702): INFO: No directory provided
> for syscheck to monitor.
> bin/ossec-control: line 138: 9682 Segmentation fault ${DIR}/bin/$
> {i}
>
I think this bug (the seg fault without syscheck/localfile configs)
has been fixed post 2.5.1, but I'd recommend setting up something for
now. Just put a bit more configuration in there until the agent can
connect to the manager and get/use the agent.conf.
>
> any ideas how i can get this working?
>
> Thanks,
>
> J
