On Thu, Oct 20, 2011 at 2:13 PM, Culver, Michael <[email protected]> wrote: > Having not used a CIDR address for the agent setup I am not familiar with how > this works. Does this change the way in which alerts are reported? If I > have several machines that are in a particular address and subnet range and > they all have agents on them how does ossec differentiate the individual > messages from each sever? Are they still created as separate agent entities > with the same CIDR address? Thus preserving the reporting id and name? >
You still have to create a new agent (using manage_agents) for each system. They can each share the same CIDR. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, October 20, 2011 11:44 AM > To: [email protected] > Subject: Re: [ossec-list] ossec agent issue on multi address machine > > If the IPs are in the same subnet setup the agent with a CIDR address > for its IP (XXX.0/24). If not, you should be able to handle this with > a custom route (or use "any" as the IP). > > On Thu, Oct 20, 2011 at 11:27 AM, Culver, Michael <[email protected]> wrote: >> I have a sever that has two IP addresses on separate network interfaces. So >> something like this. >> >> Server IP - x.x.x.1 >> Server website IP - x.x.x.2 >> >> DNS for both the server and the website are different. >> >> When I set the agent up to use the server IP (x.x.x.1). It reports >> "ossec-remoted(1213): WARN: Message from x.x.x.2 not allowed" >> >> When I set the agent to use the website IP (x.x.x.2). It reports >> "ossec-remoted(1403): ERROR: Incorrectly formatted message from 'x.x.x.2'. >> >> Ideally it should not be using the website IP. But when the agent is >> talking to the ossec server it communicates as x.x.x.2. >> >> Has anyone seen anything like this? >> >> >> >> >> > > >
