[ossec-list] getting error: ossec-remoted(1213): WARN: Message from 10.8.6.20 not allowed.

Fri, 04 Nov 2016 05:44:25 -0700 

I was able to install an osec agent to a solaris 10 server and everything
seems to be working. The only issue is I am getting this error and I think
is because the network interface has a primary and a 2 virtual network
interface. Here is the network settings:

sovcbanat1# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
        inet 127.0.0.1 netmask ff000000
bge0:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 2
        inet 10.8.6.21 netmask ffffff00 broadcast 10.8.6.255
        groupname NetworkMNICB
        ether 0:b:5d:e5:dd:66
bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.8.6.20 netmask ffffff00 broadcast 10.8.6.255
bge2:
flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>
mtu 1500 index 3
        inet 10.8.6.22 netmask ffffff00 broadcast 10.8.6.255
        groupname NetworkMNICB
        ether 0:b:5d:e5:dd:68
bge2:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 10.8.6.28 netmask ffffff00 broadcast 10.8.6.255
sppp0:
flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu
1500 index 4
        inet 10.1.1.2 --> 10.1.1.1 netmask ff000000
        ether 0:0:0:0:0:0


I had setup the agent as sovcbanat1-bge0 --> 10.8.6.21. When we login to
server we login to 10.8.6.20 (sovcbanat1). The issue I think is that the
remoted may not understand which is the primary interface since the other
virtual interface are active also. I looked and google for a solution and
one idea was to setup a allow_ip on the server.

  <remote>
    <connection>secure</connection>
    <allowed-ips>10.8.6.0/24</allowed-ips>
  </remote>

This does not seem to work as I am still getting the message.

So does anyone have any idea on how to either fix this or somehow bypass
this problem.


Thanks in advance

Stephen LuShing
System administrator
Hofstra University

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to