[ossec-list] Active Response behind a load balancer

[Reggie Griffin <Reggie.Griffin@xxxxxxxx>]

Hello,

Been using OSSEC for a while now, and I must say that it's an awesome
tool. Many thanks.

To my question:

Does anyone have advice on how to use the Active Response with systems
sitting behind a load
balancer? We have 3 systems with OSSEC installed that are setup as the
same agent as far as the
OSSEC server knows.

An example from manage_agents.

ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30

The logging seems to work fine, but the clients can't connect to the
queues on the server.

2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not
accessible.
2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active
response queue.
2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server.

I am not sure I approached this correctly, or if there is an easier way
to accomplish this. Should I
just install OSSEC with individual local only installs? If so, is there
a way to accomplish the centralized
logging part(which I like a lot), and have the rest of the OSSEC install
only be concerned with managing
that one host(most importantly, the Active Response)?

Any thoughts?

-Reggie