[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Response behind a load balancer

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Active Response behind a load balancer
From: Reggie Griffin <regomatic@xxxxxxxxx>
Date: Thu, 26 Jul 2007 11:08:02 -0400
Content-transfer-encoding: quoted-printable
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=tlM0gDFdVQC+iqBizIlouUxtqlFvnV3MsBZ0w83NhqY1VjA2wwkxo+Zf/yElcX5jzIL5usDfvgBKSfyu6VC6kDJ4kO1AOTEHT1ZRqc/kE9VC210IC+QmzQ1F7I+MtUMqW+Lp9OmZy0C3Zw6G4ax+t5z4GVc83xOPOSROlpbH5h4=

Here are some errors on the client side.

2007/07/26 09:45:07 ossec-agentd(1210): Queue '/queue/alerts/execq' not
accessible.
2007/07/26 09:45:22 ossec-agentd(1301): Unable to connect to active
response queue.
2007/07/26 09:45:23 ossec-agentd(4102): Connected to the server.
2007/07/26 10:15:26 ossec-agentd: Server unavailable. Setting lock.
2007/07/26 10:15:27 ossec-agentd: Process locked. Waiting for permission...
2007/07/26 10:15:28 ossec-logcollector: Process locked. Waiting for
permission...
2007/07/26 10:15:41 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/26 10:15:57 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/26 10:16:14 ossec-agentd: Server responded. Releasing lock.
2007/07/26 10:16:17 ossec-agentd: Lock free. Continuing...
2007/07/26 10:16:18 ossec-logcollector: Lock free. Continuing...
2007/07/26 10:46:16 ossec-agentd: Server unavailable. Setting lock.
2007/07/26 10:46:17 ossec-agentd: Process locked. Waiting for permission...
2007/07/26 10:46:18 ossec-logcollector: Process locked. Waiting for
permission...
2007/07/26 10:46:31 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/26 10:46:47 ossec-agentd(4101): Waiting for server reply (not
started).
2007/07/26 10:47:04 ossec-agentd: Server responded. Releasing lock.
2007/07/26 10:47:07 ossec-agentd: Lock free. Continuing...
2007/07/26 10:47:08 ossec-logcollector: Lock free. Continuing...
2007/07/26 10:55:02 ossec-agentd: Event count after '20000':
4136659->3421816 (82%)

On the server side:

2007/07/26 09:51:56 ossec-remoted: Duplicate error:  global: 54, local:
7791, saved global: 55, saved local:5652
2007/07/26 09:51:56 ossec-remoted(1407): Duplicated counter for '���n����'.
2007/07/26 10:23:57 ossec-remoted: Duplicate error:  global: 54, local:
7792, saved global: 55, saved local:5652
2007/07/26 10:23:57 ossec-remoted(1407): Duplicated counter for '���n����'.
2007/07/26 10:56:13 ossec-remoted: Duplicate error:  global: 54, local:
7793, saved global: 55, saved local:5652
2007/07/26 10:56:13 ossec-remoted(1407): Duplicated counter for '���n����'.
2007/07/26 10:56:46 ossec-remoted: Duplicate error:  global: 0, local:
1894, saved global: 3438, saved local:8980
2007/07/26 10:56:46 ossec-remoted(1407): Duplicated counter for 'ͧd����!'.
2007/07/26 10:56:57 ossec-remoted: Duplicate error:  global: 0, local:
1894, saved global: 3438, saved local:9098
2007/07/26 10:56:57 ossec-remoted(1407): Duplicated counter for 'ͧd����!'.

I have no idea if they are related or not.

-Reggie

Daniel Cid wrote:
> Hi Reggie,
>
> OSSEC should work with systems behind a load balancer, but you must
> give a different
> agent name and agent id for each one of them (even though the ip
> address is the same --
> like 101/30 that you gave).
>
> That entry in the wiki can be of help:
> http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs
>
> If doesn't solve your problem, can you show us your server and agent logs?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 7/25/07, Reggie Griffin <Reggie.Griffin@xxxxxxxx> wrote:
>   
>> Hello,
>>
>> Been using OSSEC for a while now, and I must say that it's an awesome
>> tool. Many thanks.
>>
>> To my question:
>>
>> Does anyone have advice on how to use the Active Response with systems
>> sitting behind a load
>> balancer? We have 3 systems with OSSEC installed that are setup as the
>> same agent as far as the
>> OSSEC server knows.
>>
>> An example from manage_agents.
>>
>> ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30
>>
>> The logging seems to work fine, but the clients can't connect to the
>> queues on the server.
>>
>> 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not
>> accessible.
>> 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active
>> response queue.
>> 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server.
>>
>> I am not sure I approached this correctly, or if there is an easier way
>> to accomplish this. Should I
>> just install OSSEC with individual local only installs? If so, is there
>> a way to accomplish the centralized
>> logging part(which I like a lot), and have the rest of the OSSEC install
>> only be concerned with managing
>> that one host(most importantly, the Active Response)?
>>
>> Any thoughts?
>>
>> -Reggie
>>
>>
>>
>>
>>
>>     
>
>

References:
- [ossec-list] Re: ossec removal question
  - From: Thanh Han The
- [ossec-list] ossec 1.2 Problems on OpenBSD 4.1-stable
  - From: Chris Tankersley
- [ossec-list] Re: ossec 1.2 Problems on OpenBSD 4.1-stable
  - From: ddp
- [ossec-list] Active Response behind a load balancer
  - From: Reggie Griffin
- [ossec-list] Re: Active Response behind a load balancer
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: rootkit or trojaned version netstat alerts
Next by Date: [ossec-list] Re: No SMTP
Previous by thread: [ossec-list] Re: Active Response behind a load balancer
Next by thread: [ossec-list] Re: Active Response behind a load balancer
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.