X-Forwarded-For header for agents
331 views
Skip to first unread message
David Drake
May 2, 2018, 8:28:22 AM5/2/18
to Wazuh mailing list
I'm doing a POC for the latest version including cluster support. I have a VIP created through HAProxy. The challenge is when an agent registers and communicates through the VIP, the IP address on the OSSEC servers appears to be the HAProxy VIP instead of the originating source. I know I can do some things with X-forwarded-for header for other applications but can Wazuh work with using X-forwarded-for header information?
Marta Gómez
May 16, 2018, 6:58:23 AM5/16/18
to Wazuh mailing list
Hello David,
Currently, the cluster doesn't support registering of agents through a load balancer. They must be registered in the master node. You can use the load balancer to load the agents' reports among all nodes, specifying the load balancer's IP as the manager IP in the agents' configuration.
Best regards,
Marta
Currently, the cluster doesn't support registering of agents through a load balancer. They must be registered in the master node. You can use the load balancer to load the agents' reports among all nodes, specifying the load balancer's IP as the manager IP in the agents' configuration.
Best regards,
Marta
David Drake
May 16, 2018, 7:18:28 AM5/16/18
to Marta Gómez, Wazuh mailing list
Understood on registration through a load balancer but if I register agents with the true source IP on the master node, when the node communicates through the load balancer on 1514 - the source IP is NAT for the VIP address which
makes the agents not connect.
I'm trying to retain the source IP when UDP traffic goes through a load balancer. Obvious workaround is register as IP of any but that's not my optimal use case
David
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Marta Gómez <ma...@wazuh.com>
Sent: Wednesday, May 16, 2018 6:58:23 AM
To: Wazuh mailing list
Subject: Re: X-Forwarded-For header for agents
Sent: Wednesday, May 16, 2018 6:58:23 AM
To: Wazuh mailing list
Subject: Re: X-Forwarded-For header for agents
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/v-MJBYvGPPg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/406465a8-3926-4905-9555-59bba8253e4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/v-MJBYvGPPg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/406465a8-3926-4905-9555-59bba8253e4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Marta Gómez
May 17, 2018, 5:21:26 AM5/17/18
to Wazuh mailing list
Hello David,
First of all, we don't support X-forwarded-for header, since it is an HTTP header and our agent communication protocol is encrypted.
In addition, you should disable the use_souce_ip option in your authd configuration (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html?highlight=use_source_ip#use-source-ip), otherwise, your agents won't be able to connect to the cluster. We are now studying different ways to send both real agent IP and the ELB headers to the manager but it's not implemented yet.
Finally, we don't recommend using UDP for load balancing. It's better to use TCP since it has permanent sessions and stickiness. One of the reasons we need those is because the agent reports to a whole database in a manager and we need that database to be consistent. To configure TCP, check the following links to our documentation:
* https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?highlight=tcp#server-protocol
* https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html?highlight=remote#protocol
Best regards,
Marta
First of all, we don't support X-forwarded-for header, since it is an HTTP header and our agent communication protocol is encrypted.
In addition, you should disable the use_souce_ip option in your authd configuration (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html?highlight=use_source_ip#use-source-ip), otherwise, your agents won't be able to connect to the cluster. We are now studying different ways to send both real agent IP and the ELB headers to the manager but it's not implemented yet.
Finally, we don't recommend using UDP for load balancing. It's better to use TCP since it has permanent sessions and stickiness. One of the reasons we need those is because the agent reports to a whole database in a manager and we need that database to be consistent. To configure TCP, check the following links to our documentation:
* https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?highlight=tcp#server-protocol
* https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html?highlight=remote#protocol
Best regards,
Marta
Marta Gómez
May 29, 2018, 4:28:46 AM5/29/18
to Wazuh mailing list
Hello again David,
We have officially released Wazuh v3.2.3 which includes a huge improvement in all the cluster. I recommend you to update. Check our docs to know how: https://documentation.wazuh.com/current/user-manual/manager/wazuh-cluster.html#upgrading-from-older-versions
Best regards,
Marta
Reply all
Reply to author
Forward
0 new messages