Hi, as far as I know you can't get the agent IP if it is connected using *any*. It is supposed you should use *any *only if your agent IP changes frequently (DHCP). Anyway, keep in mind that even getting the IP, the DHCP will re-assing that IP so the analysis is difficult.
Victor modified ossec-remoted <https://github.com/wazuh/ossec-wazuh/commit/b277f0b159a0145d7501d446c429db19a50f922a>to show agent IP when reported as invalid. So, maybe we can log the IP when the agent connects for first time, or with the keep-alive, etc. Regards. Jesus Linares. On Saturday, February 13, 2016 at 5:19:40 AM UTC+1, Lee Mangold wrote: > > Is there any way to report the actual IP the agent connects from, rather > than the IP on record? The use case here is a sort-of phone-home showing > where threats/attacks are occurring on mobile hardware. I use "any" for the > IP on all my agents, and that's less than helpful for analysis... > > Thanks > Lee > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
