• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

New OSSEC agent not connecting - Message from w.x.y.z not allowed

virafhathiramvirafhathiram

Entry Level
This is not a question, but an answer. I have seen OSSEC connection related questions here and on other websites, with no suitable answer.

When the server log shows "Message from w.x.y.z not allowed", it indicates (I think) an IP address mismatch. The messages from the agent are getting through, i.e. no firewall or NAT issues, but the server does not accept them.

The IP address mismatch seems to occur when specifying a subnet for the agent; the problem does not occur with a single IP address. When an agent exe file is created, say you specify an address 10.1.20.0/24, because the host relies on DHCP. You must add, in the ossec.conf file on the server, the (allowed-ips) tag:
(remote)
(connection)secure(/connection)
(allowed-ips)10.1.20.0/24(/allowed-ips)
(/remote)
This tag is not created by default and adding this tag solves the problem. You need to re-start the OSSEC service.

P.S. You should use <> instead of () for the ossec.conf tags. Good to know that this website sanitises input and removes tags with <>!

Share post:

This discussion has been closed.