• Support
  • Forums
  • Blogs

Connecting ossec agent remotely.

mattpearcemattpearce

HI.. Happy new year all...  We have an ossim installation at a site with say a colt or other dedicated public IP address... Is there a way we can setup say a dyndns or similar service to have the ossec client relay the data back to the ossim server if the server had the dynip agent installed also?

Share post:

Answers

  • sorry without a dedictaed public facing ip address.. WITHOUT    ;-|
  • mattpearce,

    The OSSEC Agent can be configured to talk to the server by opening the ossec manager UI tool and changing the Server IP to a FQDN. It will resolve and direct to the appropriate address. The agent will needed to be added with and ACL of 0.0.0.0/0, or by selecting "agent uses DHCP" when adding. Obviously that FQDN must resolve to a routable address, whether it is set using DynDNS or some other method.
     
    Two words of warning on this
    1 - OSSEC Agent is not designed to work in an intermittent connection scenario, so it will not queue logs for sending later. Part of its design is deliberately set to alert when an agent is offline because an offline agent give an attacker time to modify logs before they can be sent.

    2 - OSSEC agent sends ALL logs from monitored log files, which are then filtered by the OSSEC decoders and our own HIDS plugins at the sensor. This can generate an excessive amount of traffic on poor connections. You may want to look into agent side exclude rules to filter out unwanted data, which would need to be added to the agent configuration manually. The down side of this is that you need to be careful what you exclude as it will obviously affect what you can correlate against at the server since we never receive it.
    kratos
Sign In or Register to comment.