Thanks; at least I know I'm not trying to re-invent the wheel here. I'll have to dig in deeper in code. At some point the source IP is getting replaced by "any". I was able to verify that remoted was getting the actual source IP address (which is should), but I have yet to determine where it is being lost...just not that familiar with the codebase yet.
Lee On Monday, February 15, 2016 at 7:00:36 AM UTC-5, Jesus Linares wrote: > > Hi, > > as far as I know you can't get the agent IP if it is connected using *any*. > It is supposed you should use *any *only if your agent IP changes > frequently (DHCP). Anyway, keep in mind that even getting the IP, the DHCP > will re-assing that IP so the analysis is difficult. > > Victor modified ossec-remoted > <https://github.com/wazuh/ossec-wazuh/commit/b277f0b159a0145d7501d446c429db19a50f922a>to > > show agent IP when reported as invalid. So, maybe we can log the IP when > the agent connects for first time, or with the keep-alive, etc. > > Regards. > Jesus Linares. > > On Saturday, February 13, 2016 at 5:19:40 AM UTC+1, Lee Mangold wrote: >> >> Is there any way to report the actual IP the agent connects from, rather >> than the IP on record? The use case here is a sort-of phone-home showing >> where threats/attacks are occurring on mobile hardware. I use "any" for the >> IP on all my agents, and that's less than helpful for analysis... >> >> Thanks >> Lee >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
