Hello, I am working on a deployment that is going to involve multiple external locations (behind a NAT) with all of them talking back to 1 server.
Location 1 will be a mixture of Linux and Windows agents. There will be ~10 hosts at this location all going out of a single NAT, 1.1.1.1. Location 2 will have ~5 Linux machines going out a single NAT, 2.2.2.2. Location 3 will have ~20 Windows machines going out a single NAT, 3.3.3.3. So far I have gotten this general setup to work by creating an individual key for each host and setting the IP address to "any". However, I am curious if there is anyway to set up 1 key per location and have all agents share that one key. So I can give location 1 keyA and they put that on all of the agents and it is able to talk by to the portal. I kinda sorta gotten this to work by creating Location1 on the OSSEC server and giving it an IP of 1.1.1.1/32. I know if I just do 1.1.1.1 it says duplicate key error but if I put a CIDR around it, it has worked sometimes and other times it hasn't. So that is my first question. Is this scenario doable? My second question is if I am able to make the above setup work, is there anyway I can distinguish the individual agents from one another? I know by default, if we have the hostnames set up correctly, I will see Location1 as the "location" but I will see host1 somewhere in the log to distinguish it. Are there any additional fields that I can force OSSEC to send with the logs, such as the internal IP? This is especially the case for integrity checking alerts since it doesn't even give the hostname on those. Can I force it to? Thanks in advance for any advice/information you all have.
