0

How does one set up ossec to have the host work as a server, and the guests have agents in them? Specifically, at least one point in the installation confuses me as to how this would work-how do you set the sever IP, if you are running ossec on a laptop, the IP address will change. How do you resolve the host that is running the guests ip dynamically?

Maybe the question should in that case be retitled to that, but the base cause for asking this question is for an ossec setup, and I will likely have more questions later, I'd rather them all be related to this.

Perhaps there is a guide to explain how to do what I want, which is to set up a mac os X lion host running ossec as the server, and have several vm guests with agent setups on them that talk to the host.

Adam Miller
  • 1,756
  • 1
  • 25
  • 44
  • Perhaps [this](http://stackoverflow.com/questions/3235011/vmware-fusion-connecting-to-hosts-web-server-from-guest) is the answer... – Adam Miller Jun 02 '12 at 09:49

2 Answers2

2

One deployment scenario is to create one OSSEC server and then to install OSSEC agents on everything you would like to watch for security events.

Regarding DHCP configured OSSEC agents, you can check out "Agent systems behind NAT or with dynamic IPs (DHCP)" http://www.ossec.net/doc/manual/agent/agent-dhcp-nat.html

If you have a specific DHCP or network range you would like any OSSEC agent to be able use and to be able to connect to the OSSEC server, then you can modify the following lines in the ossec.conf file (snippet borrowed from the OSSEC book):

We can also use the <allowed-ips></allowed-ips> tag to explicitly state which IP address we allow connections from. In the following example, we used the <allowed-ips></allowed-ips> tag in conjunction with the <connection></connection> tag to indicate that we expect OSSEC HIDS agent connections from the 192.168.10.0/24 network

<ossec_config>  
<remote>  
<connection>secure</connection>  
<allowed-ips>192.168.10.0/24</allowed-ips>  
</remote>  
</ossec_config>
Tate Hansen
  • 149
  • 4
  • Thanks, but I don't think you understood my question. I wrote an answer that I feel like reached my question's needs. Just so you know, I asked this when I first got started with ossec, so it was kind of an unexperienced question, maybe that's why you didn't understand it exactly. Anyway, thanks! – Adam Miller Jun 09 '12 at 19:43
0

I found out from vmware that the host VM's that are using a NAT configuration have a static IP address that corresponds to the host: 192.168.231.1 will reach the host from within the guest VM. This way, when you set up agents within the guest VM's you can use this address, and it will work.

Adam Miller
  • 1,756
  • 1
  • 25
  • 44