2

I am working on an OSSEC deployment where I will have multiple agents behind 1 public IP. Below is an example of the setup

Private Network
OSSEC-Agent1 (192.168.1.10)
OSSEC-Agent2 (192.168.50.33)
OSSEC-Agent3 (10.10.10.1)

Those IPs NAT to 1 public IP (1.1.1.1)

Then 1.1.1.1 talks to the public OSSEC server on 2.2.2.2

I've read some OSSEC documentation talking about NAT here, but it doesn't tell me exactly what I need to know. Their example is using an entire /24 subnet and mine will mainly have multiple agents to only 1 public IP. With the setup so far, I brought Agent1 online fine and it is communicating to the OSSEC server. However Agent2 continues to fail trying to connect to 2.2.2.2. Even though when I added the key, I had the correct name for it, so I know it talked to the portal at least once for that information. I'm assuming it's just getting confused with the multiple keys to 1 public IP. I basically want to know if this is possible and/or if I'm just overlooking something simple. Any help would be greatly appreciated.

Eric
  • 1,373
  • 3
  • 17
  • 33
  • 1
    Try this: http://osdir.com/ml/ossec-list/2010-10/msg00183.html – quanta Jun 08 '12 at 04:06
  • @quanta - That seems to work for getting 2 agents to work behind the same IP. My only concern about that is what is going to happen when I expand this setup? In the end, I am probably going to have ~50 separate external IPs, each of which has anywhere between 5-15 agents behind it. So I am not sure how well the "any" will scale if OSSEC is having to distinguish between so many different keys. – Eric Jun 08 '12 at 13:29
  • Maybe you should ask this question in the OSSEC's mailing list. – quanta Jun 08 '12 at 14:49
  • I'm up to around 20 IPs or so across 5 different public IPs and everything is working fine. I've even taken computers off one location and took them to another and OSSEC picks it right back up correctly by distinguishing the key and accepting the "any" IP address. If you want to "answer this question" with your comments, I'll go ahead and accept it. Thanks again. – Eric Jun 13 '12 at 21:37

1 Answers1

0

I found this when Googling. Let me know if it works for you.

quanta
  • 50,327
  • 19
  • 152
  • 213