Wow, that seems pretty complicated. You can specify the IP address the OSSEC manager will use its ossec.conf.
You chould use tcpdump to see which IP address the OSSEC manager is attempting to use when communicating with the agents. I'm guessing the error message you see is because the manager is using the wrong IP. On Sun, Mar 27, 2011 at 5:13 PM, Valentin Avram <[email protected]> wrote: > Hello. > > I have successfully installed an OSSEC server with 11 agents and all was > working as expected. The server was on a LAN connected via a client-to-site > VPN to another LAN where the agents are located. The server had an 10.x.y.z > IP while the agents used 192.168.a.b addresses, the server LAN being where > the VPN server is located, and the clients being located behind the VPN > client which does all the routing. > > All worked well until we moved the VPN server to the same server where the > OSSEC server resides. This way, that server also gained an 172.16.z.w IP > address, at which moment all agents appeared as disconnected. > > After tweaking the routing and doing the necessary firewall changes, I > decided to start modifying only the firewall and setup of one OSSEC agent so > that after i figure out the correct setup i will make the necessary changes > to all of them. The changes were necessary because although the OSSEC server > preserved the old IP address the clients were aware of and all the agents > showed as Online, in the OSSEC server log i could see messages like this, > for all agents: > 2011/03/27 23:34:38 ossec-remoted(1218): ERROR: Unable to send message to > 002. > > But at this moment i'm stuck and out of ideas. > > Previous setup: > - OSSEC server at 10.x.y.z > - OSSEC client at 192.168.a.b > - VPN client at 192.168.a.c / 172.16.q.y doing all the routing. > - VPN server at 172.16.z.w doing all the routing. > > ALL OK. > > Current setup: > - OSSEC server at 10.x.y.z / 172.16.z.w > - OSSEC client at 192.168.a.b - nothing changed > - VPN client at 192.168.a.c / 172.16.q.y doing all the routing - nothing > changed > - VPN server on the same machine as OSSEC server doing all the routing. > > I modified the server address on the OSSEC agent to point to 172.16.z.w, > since that is the address in the UDP packets from the OSSEC server. > I changed all the firewalls to reflect the changes. > As far as i see, the OSSEC server listens on all network interfaces. > > Good bahaviour: > - the moment i made the changes above, the messages in the OSSEC server logs > about Unable to send message stopped for the agent i made the changes on. > - on the agent i can see an ESTABLISHED connection from the client to the > server > > Bad behaviour: > - in the OSSEC wui which is installed on the OSSEC server, the agent appears > as offline. > - list_agents utility reports that the agent is not active. > - although on the agent i can see the established udp connection: > # netstat -tupan | grep 1514 > udp 0 0 192.168.a.b:37082 172.16.z.w:1514 > ESTABLISHED24411/ossec-agentd > > on the server i see no connections to udp 1514 at all (probably normal?): > # netstat -tupan | grep 1514 > udp 0 0 0.0.0.0:1514 > 0.0.0.0:* 28901/ossec-remoted > > - i set agentd.debug to 2 on the agent but nothing appears in the log about > it. > - agent_control utility reports the agent as disconnected > - all other agents using the old 10.x.y.z address for server IP show as > Active, the WUI shows data coming from them but in the logs i see the > "Unable to send message to agent" messages. > > Anybody has any idea why this behaviour is happening? > > I could re-activate the agent by reimporting the key or by generating a new > key and importing it on the agent, but i have no idea if the server will be > able to "link" the "new" agent to the "old" one (since it's really the same > agent). Any ideas about that? > > Thank you for your time. > >
