So Dan I assume that i will need to reinstall the agent with the any or the 10.8.6.0/24 entry.I guess it will be for another server also with the same issue on the same subnet.
On Fri, Nov 4, 2016 at 9:06 AM, dan (ddp) <[email protected]> wrote: > On Fri, Nov 4, 2016 at 8:43 AM, Stephen LuShing <[email protected]> > wrote: > > I was able to install an osec agent to a solaris 10 server and everything > > seems to be working. The only issue is I am getting this error and I > think > > is because the network interface has a primary and a 2 virtual network > > interface. Here is the network settings: > > > > sovcbanat1# ifconfig -a > > lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu > 8232 > > index 1 > > inet 127.0.0.1 netmask ff000000 > > bge0: > > flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> > mtu > > 1500 index 2 > > inet 10.8.6.21 netmask ffffff00 broadcast 10.8.6.255 > > groupname NetworkMNICB > > ether 0:b:5d:e5:dd:66 > > bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 2 > > inet 10.8.6.20 netmask ffffff00 broadcast 10.8.6.255 > > bge2: > > flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> > mtu > > 1500 index 3 > > inet 10.8.6.22 netmask ffffff00 broadcast 10.8.6.255 > > groupname NetworkMNICB > > ether 0:b:5d:e5:dd:68 > > bge2:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 > index 3 > > inet 10.8.6.28 netmask ffffff00 broadcast 10.8.6.255 > > sppp0: > > flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> > mtu > > 1500 index 4 > > inet 10.1.1.2 --> 10.1.1.1 netmask ff000000 > > ether 0:0:0:0:0:0 > > > > > > I had setup the agent as sovcbanat1-bge0 --> 10.8.6.21. When we login to > > server we login to 10.8.6.20 (sovcbanat1). The issue I think is that the > > remoted may not understand which is the primary interface since the other > > virtual interface are active also. I looked and google for a solution and > > one idea was to setup a allow_ip on the server. > > > > <remote> > > <connection>secure</connection> > > <allowed-ips>10.8.6.0/24</allowed-ips> > > I belive allowed-ips is only for syslog connection types. > > > </remote> > > > > This does not seem to work as I am still getting the message. > > > > So does anyone have any idea on how to either fix this or somehow bypass > > this problem. > > > > If remoted is expecting the ossec packets to come from 10.8.6.21, you > need to make sure the packets come from that IP address. > Your OS should have routing options to make this happen. > Or you could add the agent with an IP of 10.8.6.0/24 or even "any." > Then it wouldn't matter as much which IP the packets come from. > > > > > Thanks in advance > > > > Stephen LuShing > > System administrator > > Hofstra University > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
