[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Active Response behind a load balancer

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Active Response behind a load balancer
From: Reggie Griffin <regomatic@xxxxxxxxx>
Date: Thu, 26 Jul 2007 13:03:43 -0400
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=tSx0jGZKa9993U5VpcsmSP2NedjXLKE3K1iPwmHUPcIkUyDcgQfZBujBNc3ZAaizUyHqr3jqMrYRltsuxiFt40pd9RFFNd/l7jFZKaELn+f2IsGqYj8Cy7tMV5ASEKGwAgLX+TYltulIaG/auJwhOaKs8ZO+6iYvWwXkX584SlM=

Daniel,

Thanks, that was very helpful. Anyway to hardcode the UDP port that
client communicates
to the server with? Looks like a random port in the 50000s.

Snippet from tcpdump.

11:24:50.443020 IP ossec.server.1514 > loadbalance.54244: UDP, length 73

Being able to lock that to one port would be very helpful.

-Reggie

Daniel Cid wrote:
> Hi Reggie,
>
> OSSEC should work with systems behind a load balancer, but you must
> give a different
> agent name and agent id for each one of them (even though the ip
> address is the same --
> like 101/30 that you gave).
>
> That entry in the wiki can be of help:
> http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs
>
> If doesn't solve your problem, can you show us your server and agent logs?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 7/25/07, Reggie Griffin <Reggie.Griffin@xxxxxxxx> wrote:
>   
>> Hello,
>>
>> Been using OSSEC for a while now, and I must say that it's an awesome
>> tool. Many thanks.
>>
>> To my question:
>>
>> Does anyone have advice on how to use the Active Response with systems
>> sitting behind a load
>> balancer? We have 3 systems with OSSEC installed that are setup as the
>> same agent as far as the
>> OSSEC server knows.
>>
>> An example from manage_agents.
>>
>> ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30
>>
>> The logging seems to work fine, but the clients can't connect to the
>> queues on the server.
>>
>> 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not
>> accessible.
>> 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active
>> response queue.
>> 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server.
>>
>> I am not sure I approached this correctly, or if there is an easier way
>> to accomplish this. Should I
>> just install OSSEC with individual local only installs? If so, is there
>> a way to accomplish the centralized
>> logging part(which I like a lot), and have the rest of the OSSEC install
>> only be concerned with managing
>> that one host(most importantly, the Active Response)?
>>
>> Any thoughts?
>>
>> -Reggie
>>
>>
>>
>>
>>
>>     
>
>

Follow-Ups:
- [ossec-list] Re: Active Response behind a load balancer
  - From: Daniel Cid

References:
- [ossec-list] Re: ossec removal question
  - From: Thanh Han The
- [ossec-list] ossec 1.2 Problems on OpenBSD 4.1-stable
  - From: Chris Tankersley
- [ossec-list] Re: ossec 1.2 Problems on OpenBSD 4.1-stable
  - From: ddp
- [ossec-list] Active Response behind a load balancer
  - From: Reggie Griffin
- [ossec-list] Re: Active Response behind a load balancer
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: No SMTP
Next by Date: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Previous by thread: [ossec-list] Re: Active Response behind a load balancer
Next by thread: [ossec-list] Re: Active Response behind a load balancer
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.