getting error: ossec-remoted(1213): WARN: Message from 10.8.6.20 not allowed.
834 views
Skip to first unread message
Stephen LuShing
Nov 4, 2016, 8:43:48 AM11/4/16
to ossec...@googlegroups.com
I was able to install an osec agent to a solaris 10 server and everything seems to be working. The only issue is I am getting this error and I think is because the network interface has a primary and a 2 virtual network interface. Here is the network settings:
sovcbanat1# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2
inet 10.8.6.21 netmask ffffff00 broadcast 10.8.6.255
groupname NetworkMNICB
ether 0:b:5d:e5:dd:66
bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.8.6.20 netmask ffffff00 broadcast 10.8.6.255
bge2: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3
inet 10.8.6.22 netmask ffffff00 broadcast 10.8.6.255
groupname NetworkMNICB
ether 0:b:5d:e5:dd:68
bge2:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 10.8.6.28 netmask ffffff00 broadcast 10.8.6.255
sppp0: flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 4
inet 10.1.1.2 --> 10.1.1.1 netmask ff000000
ether 0:0:0:0:0:0
sovcbanat1# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2
inet 10.8.6.21 netmask ffffff00 broadcast 10.8.6.255
groupname NetworkMNICB
ether 0:b:5d:e5:dd:66
bge0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.8.6.20 netmask ffffff00 broadcast 10.8.6.255
bge2: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3
inet 10.8.6.22 netmask ffffff00 broadcast 10.8.6.255
groupname NetworkMNICB
ether 0:b:5d:e5:dd:68
bge2:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 10.8.6.28 netmask ffffff00 broadcast 10.8.6.255
sppp0: flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 4
inet 10.1.1.2 --> 10.1.1.1 netmask ff000000
ether 0:0:0:0:0:0
I had setup the agent as sovcbanat1-bge0 --> 10.8.6.21. When we login to server we login to 10.8.6.20 (sovcbanat1). The issue I think is that the remoted may not understand which is the primary interface since the other virtual interface are active also. I looked and google for a solution and one idea was to setup a allow_ip on the server.
<remote>
<connection>secure</connection>
<allowed-ips>10.8.6.0/24</allowed-ips>
</remote>
<remote>
<connection>secure</connection>
<allowed-ips>10.8.6.0/24</allowed-ips>
</remote>
This does not seem to work as I am still getting the message.
So does anyone have any idea on how to either fix this or somehow bypass this problem.
Thanks in advance
Stephen LuShing
System administrator
Hofstra University
dan (ddp)
Nov 4, 2016, 9:06:49 AM11/4/16
to ossec...@googlegroups.com
> </remote>
>
> This does not seem to work as I am still getting the message.
>
> So does anyone have any idea on how to either fix this or somehow bypass
> this problem.
>
need to make sure the packets come from that IP address.
Your OS should have routing options to make this happen.
Or you could add the agent with an IP of 10.8.6.0/24 or even "any."
Then it wouldn't matter as much which IP the packets come from.
>
> Thanks in advance
>
> Stephen LuShing
> System administrator
> Hofstra University
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Stephen LuShing
Nov 4, 2016, 10:09:58 AM11/4/16
to ossec...@googlegroups.com
So Dan I assume that i will need to reinstall the agent with the any or the 10.8.6.0/24 entry.I guess it will be for another server also with the same issue on the same subnet.
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
dan (ddp)
Nov 4, 2016, 10:13:05 AM11/4/16
to ossec...@googlegroups.com
On Fri, Nov 4, 2016 at 10:09 AM, Stephen LuShing <smlu...@gmail.com> wrote:
> So Dan I assume that i will need to reinstall the agent with the any or the
> 10.8.6.0/24 entry.I guess it will be for another server also with the same
> issue on the same subnet.
>
You shouldn't have to. You might need to generate new keys, but I'm
> So Dan I assume that i will need to reinstall the agent with the any or the
> 10.8.6.0/24 entry.I guess it will be for another server also with the same
> issue on the same subnet.
>
not positive about that (you might be able to modify client.keys and
restart the OSSEC processes on the OSSEC server).
Or, if you use routing, nothing should have to change beyond that.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Reply all
Reply to author
Forward
0 new messages