How to configure OSSEC with multiple network cards in Windows Server 2008 R2
341 views
Skip to first unread message
Brent Phillips
Aug 26, 2013, 3:28:07 PM8/26/13
to ossec...@googlegroups.com
I have two network cards with two separate IP address's. The only way I can get the OSSEC server to see the agent on the Windows Server is if I use an IP range rather than one of the IP's.
The network cards IP's are 172.27.86.18 and 172.27.86.19. I have to use the 172.27.86.0/24 when adding the agent to the OSSEC HIDS, for the agent to connect to the server.
Is this the best way to get the agent to connect to the server or is there a better way?
The network cards IP's are 172.27.86.18 and 172.27.86.19. I have to use the 172.27.86.0/24 when adding the agent to the OSSEC HIDS, for the agent to connect to the server.
Is this the best way to get the agent to connect to the server or is there a better way?
Michael Starks
Aug 26, 2013, 4:34:20 PM8/26/13
to ossec...@googlegroups.com
On 26.08.2013 14:28, Brent Phillips wrote:
> I have two network cards with two separate IP address's. The only way
> I can get the OSSEC server to see the agent on the Windows Server is
> if I use an IP range rather than one of the IP's.
>
> The network cards IP's are 172.27.86.18 and 172.27.86.19. I have to
> use the 172.27.86.0/24 when adding the agent to the OSSEC HIDS, for
> the agent to connect to the server.
I would find out which interface the OSSEC traffic is exiting from and
> I have two network cards with two separate IP address's. The only way
> I can get the OSSEC server to see the agent on the Windows Server is
> if I use an IP range rather than one of the IP's.
>
> The network cards IP's are 172.27.86.18 and 172.27.86.19. I have to
> use the 172.27.86.0/24 when adding the agent to the OSSEC HIDS, for
> the agent to connect to the server.
use that IP on the manager. But it sounds like you have tried that. Is
the traffic multi-pathed through both interfaces? Can you add a static
route to force the traffic to go through one interface?
Brent Phillips
Aug 27, 2013, 10:07:06 AM8/27/13
to ossec...@googlegroups.com
Yes, I tried both IP's and it wouldn't work. I'm not sure how to force the agent through a particular network card. Maybe someone else knows?
Michael Starks
Aug 27, 2013, 10:41:58 AM8/27/13
to ossec...@googlegroups.com
On 27.08.2013 09:07, Brent Phillips wrote:
> Yes, I tried both IP's and it wouldn't work. I'm not sure how to
> force
> the agent through a particular network card. Maybe someone else
> knows?
If it works with the netmask then perhaps there is another IP involved.
> Yes, I tried both IP's and it wouldn't work. I'm not sure how to
> force
> the agent through a particular network card. Maybe someone else
> knows?
Are the servers behind a NAT device? Do you see a "not allowed" message
in ossec.log when you try one or the other IPs?
dan (ddp)
Aug 30, 2013, 11:48:02 AM8/30/13
to ossec...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages