8 Replies Latest reply on Apr 7, 2016 10:17 AM by curtisi

    LEM Agent for Linux sends logs to manager from wrong IP address

    kshannon

      I have a Red Hat 6 Linux node running LEM Agent 6.2.1 and Console 6.2.1.

       

      The agent connects with the manager and shows the connection as good.  I can see data in the nDepth query coming from the host. 

       

      The Insertion IP comes from what we call the public ethernet interface.  This is the IP address associated with an interface on the host and is returned when DNS look ups are executed.  The Detection IP listed as what we call a Private interface which is not listed in DNS and is used for private communications between nodes in a cluster.

      Here is an example:

       

      Event Name: UserLogoff 

      EventInfo: PAM User Logoff "oracle" for service "/bin/su"  InsertionIP: PUBLIC.DOMAIN.com  Manager: MANAGER  DetectionIP: PRIVATE.IP.ADDRESS.HERE  InsertionTime: 8:50:11 Thu Mar 31 2016  DetectionTime: 8:50:10 Thu Mar 31 2016  Severity: 3  ToolAlias: Linux Auditd  InferenceRule:   ProviderSID: USER_END 15896 ses=4294967295  ExtraneousInfo: exe="/bin/su", result: success  SourceAccount:   SourceDomain:   SourceLogonID:   DestinationAccount: oracle  DestinationDomain:   DestinationLogonID: 4294967295  DestinationAccountType:   SourceMachine:   DestinationMachine:   PrivilegesExercised:   LogonType:   IsThreat: false

       

      I want the Detection IP to be the public interface.

       

      The effect of this, is that the public named node shows connected, but doesn't show any events logged.  Selecting Node Details shows no events.  When selecting Node Details for the Private IP node it shows events being recorded.  I have tried deleting the Private IP node in the Manage Nodes screen, but as soon as more data is sent the Private IP node is recreated. 

       

      Is there some way to limit the LEM agent to use the Public IP to send data?  It's already the default gateway for the host, what else do I need to do?

        • Re: LEM Agent for Linux sends logs to manager from wrong IP address
          nicole pauls

          The DetectionIP comes from the log itself, so you'd have to take this up on the RedHat end - it might be a matter of changing /etc/hosts or your syslog config to pick up the right interface IP. If you look at the log file that corresponds to that connector on your RedHat system, you should see something like a "<date> <hostname> <message>" format, and that "<hostname>" is controlled by the OS/syslog config.

            • Re: LEM Agent for Linux sends logs to manager from wrong IP address
              kshannon

              Here's a couple of lines from /var/log/audit/audit.log:

               

              type=USER_START msg=audit(1459948449.045:128516): user pid=9482 uid=10011713 auid=10011713 ses=7110 msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'

              type=CRED_ACQ msg=audit(1459948449.045:128517): user pid=9482 uid=10011713 auid=10011713 ses=7110 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'

               

              The other logs (/var/log/secure, /var/log/messages) are as you describe.

               

              I guess I'll have to limit log collection to those two logs.

               

              Thanks

              • Re: LEM Agent for Linux sends logs to manager from wrong IP address
                kshannon

                I made those changes.  It still doesn't change the outcome.  The Detection IP is still the private address.

                  • Re: LEM Agent for Linux sends logs to manager from wrong IP address
                    curtisi

                    If you open the spop.conf file:

                     

                    • Windows 64-bit: C:\Windows\SysWOW64\ContegoSPOP\spop.conf
                    • Windows 32-bit: C:\Windows\System32\ContegoSPOP\spop.conf
                    • Linux: /usr/local/contego/ContegoSPOP

                     

                    Add this line:

                     

                    ForcedLocalAddress=IP OR HOSTNAME THAT YOU WANT

                     

                    And restart the LEM agent service (in Linux, /etc/init.d/swlem-agent restart) and that should change the Detection IP.

                     

                    Some examples:

                     

                    ForcedLocalAddress=10.199.21.154

                    ForcedLocalAddress=example-hostname

                    ForcedLocalAddress=example-hostname.domain.com

                     

                    Warning: Setting a hostname value for this property that is different from the actual network configured hostname of the agent could screw up DNS resolution for this agent.