[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Active Response behind a load balancer
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Active Response behind a load balancer
- From: "Fletch Hasues" <hasues@xxxxxxxxx>
- Date: Thu, 26 Jul 2007 00:36:26 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Oo7tT6EqJAbbwbHDJWwJ0uX42ozwVN/558SrVMABt0OZCsGCymVqH3Ic4h63jZslYpQAPlG+i7lUCpuyBDgZmn+V+fyDP6xz/cju/TCWePB+TZKsSH3Wrwy2pffuviQHbFEGIc+EkbWQULWGKhQ9csYhZMgdFZxFH8fgBNXDbM0=
Reggie,
Do you not have perhaps an out of band network for this sort of communication? I would think you wouldn't want to use the public interfaces for such for internal information?
Haz
On 7/25/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
Hi Reggie,
OSSEC should work with systems behind a load balancer, but you must
give a different
agent name and agent id for each one of them (even though the ip
address is the same --
like 101/30 that you gave).
That entry in the wiki can be of help:
http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs
If doesn't solve your problem, can you show us your server and agent logs?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/25/07, Reggie Griffin <Reggie.Griffin@xxxxxxxx> wrote:
>
> Hello,
>
> Been using OSSEC for a while now, and I must say that it's an awesome
> tool. Many thanks.
>
> To my question:
>
> Does anyone have advice on how to use the Active Response with systems
> sitting behind a load
> balancer? We have 3 systems with OSSEC installed that are setup as the
> same agent as far as the
> OSSEC server knows.
>
> An example from manage_agents.
>
> ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30
>
> The logging seems to work fine, but the clients can't connect to the
> queues on the server.
>
> 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not
> accessible.
> 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active
> response queue.
> 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server.
>
> I am not sure I approached this correctly, or if there is an easier way
> to accomplish this. Should I
> just install OSSEC with individual local only installs? If so, is there
> a way to accomplish the centralized
> logging part(which I like a lot), and have the rest of the OSSEC install
> only be concerned with managing
> that one host(most importantly, the Active Response)?
>
> Any thoughts?
>
> -Reggie
>
>
>
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.