From OSSEC Wiki
How to monitor systems behind NAT or with dynamic IPs (DHCP)
DHCP
If you want to install the agent on systems without a static IP address or behind a NAT device, you need
to configure the agent using variable IP addresses.
It means that when the manage_agents tool
asks you for an IP, you will give the IP+netmask instead of a unique IP.
For example, to add an agent that can receive any IP address (say via DHCP) in the 192.168.2.0/24
network, just provide the IP address of the agent as 192.168.2.0/24. Example (taken from manage_agents): <br
Please provide the following: * A name for the new agent: test * The IP Address of the new agent: 192.168.2.0/24
NAT
The same applies to NATed systems. Since the OSSEC server will see all devices behind NAT as if
they had the same IP, you need to configure them with a variable IP address.
For example, lets say that you have systems 192.168.1.2, 192.168.1.3 and 192.168.1.4 behind
a nat server that connects to network 10.1.1.0/24 with the ossec server on it.
In this case, you need to config the agents as if their IP was 10.1.1.0/24, because this is the
IP that the server is seeing (not their original IP).
On the manage agents tool, add each one of those agents on the server using the following format:
Please provide the following: * A name for the new agent: agent-1 * The IP Address of the new agent: 10.1.1.0/24
- Since the ossec server is going to see them as if they were comming from the nat server (10.1.1.x ip),
it should work. Make sure to use one separate key for each agent.