[ossec-list] Re: Active Response behind a load balancer

[Reggie Griffin <regomatic@xxxxxxxxx>]

Daniel,

Thanks for the info. I have gotten most of the problems resolved. As it
turns out, active response
was disabled in the config file when our admin installed it, which was
where the queue errors were
coming from. When I fixed the client configs and updated all the keys,
all is well now.

Here is something to note. The load balancer also was not keeping state
on the udp packets correctly.
Only on some default ports, like 53. We changed this so it kept state on
1514 and the

Waiting for server reply (not started).

errors went away.

Again, many thanks.

-Reggie





Daniel Cid wrote:
> Hi Reggie,
>
> Looking at your previous e-mail, you are having these errors because
> you used the
> same agent id/name into multiple systems. Even if they have the same
> IP, you need
> to give different ids/names. If you make this change and re-import all
> the keys, it should
> all work.
>
> Regarding the communication, the client (agent) always connect using
> UDP port 1514
> to the server and uses any high level local port (like any other
> application). Note that
> the agent does not bind to these local ports... If you want to
> configure a firewall between
> them, just open dst port 1514 and keep the state.
>
> http://www.ossec.net/wiki/index.php/Errors:AgentCommunication
>
> *You can also change the port 1514, by specifying the "port" tag.
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at  ) ossec.net
>
>
> On 7/26/07, Reggie Griffin <regomatic@xxxxxxxxx> wrote:
>   
>> Daniel,
>>
>> Thanks, that was very helpful. Anyway to hardcode the UDP port that
>> client communicates
>> to the server with? Looks like a random port in the 50000s.
>>
>> Snippet from tcpdump.
>>
>> 11:24:50.443020 IP ossec.server.1514 > loadbalance.54244: UDP, length 73
>>
>> Being able to lock that to one port would be very helpful.
>>
>> -Reggie
>>
>> Daniel Cid wrote:
>>     
>>> Hi Reggie,
>>>
>>> OSSEC should work with systems behind a load balancer, but you must
>>> give a different
>>> agent name and agent id for each one of them (even though the ip
>>> address is the same --
>>> like 101/30 that you gave).
>>>
>>> That entry in the wiki can be of help:
>>> http://www.ossec.net/wiki/index.php/Know_How:DynamicIPs
>>>
>>> If doesn't solve your problem, can you show us your server and agent logs?
>>>
>>> Thanks,
>>>
>>> --
>>> Daniel B. Cid
>>> dcid ( at ) ossec.net
>>>
>>> On 7/25/07, Reggie Griffin <Reggie.Griffin@xxxxxxxx> wrote:
>>>
>>>       
>>>> Hello,
>>>>
>>>> Been using OSSEC for a while now, and I must say that it's an awesome
>>>> tool. Many thanks.
>>>>
>>>> To my question:
>>>>
>>>> Does anyone have advice on how to use the Active Response with systems
>>>> sitting behind a load
>>>> balancer? We have 3 systems with OSSEC installed that are setup as the
>>>> same agent as far as the
>>>> OSSEC server knows.
>>>>
>>>> An example from manage_agents.
>>>>
>>>> ID: 00xx, Name: loadbalance, IP: 192.168.0.101/30
>>>>
>>>> The logging seems to work fine, but the clients can't connect to the
>>>> queues on the server.
>>>>
>>>> 2007/07/25 12:48:44 ossec-agentd(1210): Queue '/queue/alerts/execq' not
>>>> accessible.
>>>> 2007/07/25 12:48:59 ossec-agentd(1301): Unable to connect to active
>>>> response queue.
>>>> 2007/07/25 12:49:00 ossec-agentd(4102): Connected to the server.
>>>>
>>>> I am not sure I approached this correctly, or if there is an easier way
>>>> to accomplish this. Should I
>>>> just install OSSEC with individual local only installs? If so, is there
>>>> a way to accomplish the centralized
>>>> logging part(which I like a lot), and have the rest of the OSSEC install
>>>> only be concerned with managing
>>>> that one host(most importantly, the Active Response)?
>>>>
>>>> Any thoughts?
>>>>
>>>> -Reggie
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>       
>
>