Re: [ossec-list] two interfaces

[Richard Worwood]

As I thought it's your routing. because your default gateway is set on eth1
the source address for the packet will be the ip on eth1 not eth0.

Cheers

Richard


On 8 March 2012 07:51, Michael Barrett <michael_barr...@mgic.com> wrote:

>
> It the one on eth0   xxx.122.188.10
> *____________________________________________*
> *Michael Barrett* <xxxxx.xx...@mgic.com>* *| *Information Security
> Analyst - Lead* | *Mortgage Guaranty Insurance 
> Corporation*<http://www.mgic.com/>
> 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael_barr...@mgic.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>
>
>
>  From: Richard Worwood <rich...@ticoc.com> To: ossec-list@googlegroups.com
> Date: 03/06/2012 11:31 AM Subject: Re: [ossec-list] two interfaces Sent
> by: ossec-list@googlegroups.com
> ------------------------------
>
>
>
> Michael,
> What is the ip address you have setup for this agent on the ossec server?
>
> Thanks
>
> Richard
>
>
> On 6 March 2012 09:12, Michael Barrett 
> <*michael_barr...@mgic.com*<michael_barr...@mgic.com>>
> wrote:
>
> -bash-3.2# ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:50:56:9E:74:AA
>           inet addr:xxx.122.188.10  Bcast:xxx.144.188.255
>  Mask:255.255.255.0
>           inet6 addr: fe80::250:56ff:fe9e:74aa/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:6178827 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:4160605 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:1077461901 (1.0 GiB)  TX bytes:1184506761 (1.1 GiB)
>           Interrupt:59 Base address:0x2000
>
> eth1      Link encap:Ethernet  HWaddr 00:50:56:9E:46:81
>           inet addr:xxx.22.190.10  Bcast:xxx.22.190.255  Mask:255.255.255.0
>           inet6 addr: fe80::250:56ff:fe9e:4681/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:436063 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:235094 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:279010171 (266.0 MiB)  TX bytes:254848908 (243.0 MiB)
>           Interrupt:67 Base address:0x2040
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:253 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:253 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:59380 (57.9 KiB)  TX bytes:59380 (57.9 KiB)
>
> -bash-3.2# netstat -nr
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> xxx.22.190.0    0.0.0.0         255.255.255.0   U         0 0          0
> eth1
> xxx.144.188.0   0.0.0.0         255.255.255.0   U         0 0          0
> eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
> eth1
> 0.0.0.0         xxx.22.190.254        0.0.0.0         UG        0 0
>    0 eth1
>
>
> -bash-3.2# tracert ossec.server
> traceroute to ossec.server (xxx.xxx.190.48), 30 hops max, 40 byte packets
>  1  router          (xxx.144.190.245) 0.364 ms  0.426 ms  0.463 ms
>  2  ossec.server (xxx.144.190.48)  0.155 ms  0.139 ms  0.133 ms
> *____________________________________________* *
> **Michael Barrett* <xxxxx.xx...@mgic.com>* *| *Information Security
> Analyst - Lead* | *Mortgage Guaranty Insurance 
> Corporation*<http://www.mgic.com/>
> 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael_barr...@mgic.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>
>
>   From: Richard Worwood <*rich...@ticoc.com* <rich...@ticoc.com>>  To: *
> ossec-list@googlegroups.com* <ossec-list@googlegroups.com>  Date: 03/06/2012
> 08:05 AM  Subject: Re: [ossec-list] two interfaces  Sent by: *
> ossec-list@googlegroups.com* <ossec-list@googlegroups.com>
>
>  ------------------------------
>
>
>
> I would say this is a unix routing issue where the systems own routing
> table is telling the machine to use the other interface as it is "closer".
>
> Michael,
>
> It would be very useful if you could supply the list with some sort of
> network addressing schema for your system along with a copy of the routing
> table.
>
> Would suggest the following as a minimum.
>
>    - ifconfig
>    - netstat -nr
>    - traceroute to ossec server
>
>
>
> Thanks
>
> Richard
>
>
> On 6 March 2012 06:39, Michael Barrett 
> <*michael_barr...@mgic.com*<michael_barr...@mgic.com>>
> wrote:
>
> I'm not sure.  The unix team doesn't seem to think so....
>
> Can I assign two keys?  I tried putting 2 in the client.keys but that
> didn't seem to work.  Maybe I did it wrong? *
> ____________________________________________* *
> **Michael Barrett* <xxxxx.xx...@mgic.com>* *| *Information Security
> Analyst - Lead* | *Mortgage Guaranty Insurance 
> Corporation*<http://www.mgic.com/>
> 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael_barr...@mgic.com
>
> This message is intended for use only by the person(s) addressed above and
> may contain privileged and confidential information. Disclosure or use of
> this message by any other person is strictly prohibited. If this message is
> received in error, please notify the sender immediately and delete this
> message.
>
>   From: "dan (ddp)" <*ddp...@gmail.com* <ddp...@gmail.com>>  To: *
> ossec-list@googlegroups.com* <ossec-list@googlegroups.com>  Date: 03/06/2012
> 05:55 AM  Subject: Re: [ossec-list] two interfaces  Sent by: *
> ossec-list@googlegroups.com* <ossec-list@googlegroups.com>
>
>
>  ------------------------------
>
>
>
>
> I may be way off base here, but shouldn't the system's routing take
> care of this?
>
> On Mon, Mar 5, 2012 at 1:29 PM, Michael Barrett
> <*michael_barr...@mgic.com* <michael_barr...@mgic.com>> wrote:
> >
> > I have a RH 5 box with two interfaces on different subnets
> >
> > The interface that the key is on works fine but the other interface is
> > trying to connect to the ossec server and I get a reject error
> >
> > Is there any way to configure the agent to use only one interface?
> > ____________________________________________
> > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
> > Insurance Corporation
> > 270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7
> > 1.888.601.4440 | * michael_barr...@mgic.com
> >
> > This message is intended for use only by the person(s) addressed above
> and
> > may contain privileged and confidential information. Disclosure or use of
> > this message by any other person is strictly prohibited. If this message
> is
> > received in error, please notify the sender immediately and delete this
> > message.
>
>
>
>
>
>
>