I've got the problem in the other direction - I have client machines with multiple virtual interfaces, and after a reboot the ossec agent binds to different addresses, breaking agent->server comms. Switching to using a network address range as the client address works for alerting, but breaks the WUI, so I don't want to do that. A config option to force the agent to use a specific IP would be better...
Rob -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Mark C Sent: 17 March 2009 13:47 To: ossec-list Subject: [ossec-list] Re: Specify LISTEN IP and/or interface on the server? The <local_ip> I was trying was the IP attached to the eth0:0 interface. And yes, I restarted both the server and clients. I just tried entering 0.0.0.0. When starting ossec: 2009/03/17 08:43:45 ossec-config(1237): ERROR: Invalid ip address: '0.0.0.0'. 2009/03/17 08:43:45 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2009/03/17 08:43:45 ossec-remoted(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. I found someone else having a similar problem: http://groups.google.com/group/ossec-list/browse_thread/thread/3cc3390d5ad19a24/b2c16a478b9a97a1?lnk=gst&q=local_ip#b2c16a478b9a97a1 It sounds like Daniel Cid, a developer, I presume, was going to take a look at this in Oct 2007 (v1.5) but this is still a problem. For some reason, it looks like ossec is not looking at the incoming DST IP from the clients and using that as the SRC IP when responding. I am sure my situation of using a floating IP is quite common - can anyone say that they've used virtual interfaces successfully, first hand? On Mar 16, 7:42 pm, Christopher <c.bo...@gmail.com> wrote: > What IP did you specify with that option? I would assume setting 0.0.0.0 > would allow OSSEC to listen on any IP address. You are restarting the > server after you make these changes, right? > > On Mon, Mar 16, 2009 at 3:40 PM, Mark C <ved...@gmail.com> wrote: > > > Oh, I tried the <local_ip> option specified here: > >http://www.ossec.net/main/manual/configuration-options/#remote_options > > > <remote> > > <connection>syslog</connection> > > <local_ip>xxx.xxx.xxx.xxx</local_ip> > > </remote> > > > And it did not work even after restarting. > > > On Mar 16, 2:54 pm, Mark C <ved...@gmail.com> wrote: > > > Hi all, > > > > I've just installed OSSEC 2 on an Ubuntu 6.06 server 32bit system. > > > It's part of a simple cluster where there's a floating IP, eth0:0. I > > > setup 2 agents, and during the initial setup gave them the floating > > > IP. Here's what both saw in the logs: > > > > 2009/03/16 14:42:11 ossec-agentd(4101): WARN: Waiting for server reply > > > (not started). Tried: 'xxx.xxx.xxx.xxx'. > > > 2009/03/16 14:42:33 ossec-agentd: INFO: Trying to connect to server > > > (xxx.xxx.xxx.xxx:1514). > > > > I restarted the server and agents several times. > > > > Then on one of the agents, I changed the server IP in /var/ossec/etc/ > > > ossec.conf. I restarted the agent and when I ran /var/ossec/bin/ > > > list_agents -c on the server, I saw that it was connectd. > > > > I've searched for any file on the server that might let me specify > > > what IP or interface to listen on but I can't find anything. > > > Connectivity to the virtual interface, aside from OSSEC, works without > > > any problems whatsoever. > > > > The server and clients are on the same subnet. There are no firewalls > > > involved. > > > > I'm sure I'm missing something very simple :) - Any views expressed in this message are those of the individual sender, except where specifically stated to be the view of the Company, its subsidiaries or associates. When addressed to our customers, any opinions or advice contained in this eMail are subject to the relevant Company terms of business. The Company reserves the right to monitor all email communications through its internal and external networks. NOTICE: This eMail is intended solely for the named recipient only. It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately, and destroy this eMail; you must not copy, distribute or take any action in reliance upon it. Whilst all efforts are made to safeguard Inbound and Outbound eMails, the Company cannot guarantee that attachments are Virus-free or compatible with your systems and does not accept any liability in respect of viruses or computer problems experienced. IMPORTANT: Credit Card Details should not be sent to the Company by email.
