Having not used a CIDR address for the agent setup I am not familiar with how this works. Does this change the way in which alerts are reported? If I have several machines that are in a particular address and subnet range and they all have agents on them how does ossec differentiate the individual messages from each sever? Are they still created as separate agent entities with the same CIDR address? Thus preserving the reporting id and name?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, October 20, 2011 11:44 AM To: [email protected] Subject: Re: [ossec-list] ossec agent issue on multi address machine If the IPs are in the same subnet setup the agent with a CIDR address for its IP (XXX.0/24). If not, you should be able to handle this with a custom route (or use "any" as the IP). On Thu, Oct 20, 2011 at 11:27 AM, Culver, Michael <[email protected]> wrote: > I have a sever that has two IP addresses on separate network interfaces. So > something like this. > > Server IP - x.x.x.1 > Server website IP - x.x.x.2 > > DNS for both the server and the website are different. > > When I set the agent up to use the server IP (x.x.x.1). It reports > "ossec-remoted(1213): WARN: Message from x.x.x.2 not allowed" > > When I set the agent to use the website IP (x.x.x.2). It reports > "ossec-remoted(1403): ERROR: Incorrectly formatted message from 'x.x.x.2'. > > Ideally it should not be using the website IP. But when the agent is talking > to the ossec server it communicates as x.x.x.2. > > Has anyone seen anything like this? > > > > >
