8 Replies Latest reply on Apr 7, 2016 10:17 AM by curtisi

    LEM Agent for Linux sends logs to manager from wrong IP address

    kshannon

      I have a Red Hat 6 Linux node running LEM Agent 6.2.1 and Console 6.2.1.

       

      The agent connects with the manager and shows the connection as good.  I can see data in the nDepth query coming from the host. 

       

      The Insertion IP comes from what we call the public ethernet interface.  This is the IP address associated with an interface on the host and is returned when DNS look ups are executed.  The Detection IP listed as what we call a Private interface which is not listed in DNS and is used for private communications between nodes in a cluster.

      Here is an example:

       

      Event Name: UserLogoff 

      EventInfo: PAM User Logoff "oracle" for service "/bin/su"  InsertionIP: PUBLIC.DOMAIN.com  Manager: MANAGER  DetectionIP: PRIVATE.IP.ADDRESS.HERE  InsertionTime: 8:50:11 Thu Mar 31 2016  DetectionTime: 8:50:10 Thu Mar 31 2016  Severity: 3  ToolAlias: Linux Auditd  InferenceRule:   ProviderSID: USER_END 15896 ses=4294967295  ExtraneousInfo: exe="/bin/su", result: success  SourceAccount:   SourceDomain:   SourceLogonID:   DestinationAccount: oracle  DestinationDomain:   DestinationLogonID: 4294967295  DestinationAccountType:   SourceMachine:   DestinationMachine:   PrivilegesExercised:   LogonType:   IsThreat: false

       

      I want the Detection IP to be the public interface.

       

      The effect of this, is that the public named node shows connected, but doesn't show any events logged.  Selecting Node Details shows no events.  When selecting Node Details for the Private IP node it shows events being recorded.  I have tried deleting the Private IP node in the Manage Nodes screen, but as soon as more data is sent the Private IP node is recreated. 

       

      Is there some way to limit the LEM agent to use the Public IP to send data?  It's already the default gateway for the host, what else do I need to do?