I can't post the exact ifconfig, but it boils down to this:
eth0: Up, xxx.xxx.xxx.xxx (primary IP address for communication with
OSSEC agents and Active Directory; does not share a subnet with any
agents; address translation handled at the router/switch level)
eth1: Up, Promiscuous (no IP)
eth2: Down (unused)
eth3: Up, xxx.xxx.xxx.xxx (secondary IP address for security
assessments; shares first two octets with OSSEC agents; route is down
at the router/switch level except during assessments)
The <remote> section of the manager's ossec.conf is:
<remote>
<connection>secure</connection>
<port>xxxx</port>
</remote>
Our sysadmin has been running some other tests; he found that if he
changes eth3 to a different IP address that doesn't share anything
with the agents, the problem goes away and OSSEC hears from its
agents. So it seems like OSSEC has decided to only listen to the
interface which shares part of its IP with its agents. But we'd had
this tested and working before, so why would it start to do this now?
