This can be resolved by the route command on Server 2008. You'll want to do a 'route PRINT' to determine the interface number that you want the traffic to be sent out on. Let's presume your OSSEC server's IP is 192.168.23.23. To add a static route to your configuration, you'd open a commandline and issue something like the following (replacing the IF with your own interface number, of course):
route -p ADD 192.168.23.23 MASK 255.255.255.255 134.114.23.1 METRIC 10 IF 1 From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Tim Brigham Sent: Monday, July 15, 2013 11:15 AM To: ossec-list@googlegroups.com Subject: [ossec-list] Windows OSSEC Agent on a multihomed device I have one specific 2008 R2 server that is set up in the following fashion using port forwarding to a protected subnet. 192.168.100.4 (main server IP) 192.168.100.60 -> 192.168.103.xx 192.168.100.61 -> 192.168.103.xy 192.168.100.62 -> 192.168.103.xz I'm running the 2.7 OSSEC client. Ever since I added these secondary IPs and the port forwards I'm not able to connect to the server. The error in the log is "ossec-remoted(1213): WARN: Message from 192.168.100.60 not allowed." The 192.168.100.4 is the first IP binding on the interface. Is there a way to specify in the ossec.conf client side to specify the local IP to use, or any other resolution for that matter? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
