On Fri, Nov 4, 2016 at 8:43 AM, Stephen LuShing <[email protected]> wrote: > I was able to install an osec agent to a solaris 10 server and everything > seems to be working. The only issue is I am getting this error and I think > is because the network interface has a primary and a 2 virtual network > interface. Here is the network settings: > > sovcbanat1# ifconfig -a > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 > index 1 > inet 127.0.0.1 netmask ff000000 > bge0: > flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu > 1500 index 2 > inet 10.8.6.21 netmask ffffff00 broadcast 10.8.6.255 > groupname NetworkMNICB > ether 0:b:5d:e5:dd:66 > bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 > inet 10.8.6.20 netmask ffffff00 broadcast 10.8.6.255 > bge2: > flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu > 1500 index 3 > inet 10.8.6.22 netmask ffffff00 broadcast 10.8.6.255 > groupname NetworkMNICB > ether 0:b:5d:e5:dd:68 > bge2:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 10.8.6.28 netmask ffffff00 broadcast 10.8.6.255 > sppp0: > flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu > 1500 index 4 > inet 10.1.1.2 --> 10.1.1.1 netmask ff000000 > ether 0:0:0:0:0:0 > > > I had setup the agent as sovcbanat1-bge0 --> 10.8.6.21. When we login to > server we login to 10.8.6.20 (sovcbanat1). The issue I think is that the > remoted may not understand which is the primary interface since the other > virtual interface are active also. I looked and google for a solution and > one idea was to setup a allow_ip on the server. > > <remote> > <connection>secure</connection> > <allowed-ips>10.8.6.0/24</allowed-ips>
I belive allowed-ips is only for syslog connection types. > </remote> > > This does not seem to work as I am still getting the message. > > So does anyone have any idea on how to either fix this or somehow bypass > this problem. > If remoted is expecting the ossec packets to come from 10.8.6.21, you need to make sure the packets come from that IP address. Your OS should have routing options to make this happen. Or you could add the agent with an IP of 10.8.6.0/24 or even "any." Then it wouldn't matter as much which IP the packets come from. > > Thanks in advance > > Stephen LuShing > System administrator > Hofstra University > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
