Wazuh with Agents with Overlapping IP Addresses
-
Trying to work with Wazuh, but we've noticed a huge problem. If we have two agents on devices with the same IP address, one of the two gets deleted. This is a problem in two cases. One is DHCP when things move around. The agent will keep creating new devices. The second is overlapping IP ranges, which is super common even in a single environment today. How do you handle multiple devices that just have the same IP addresses?
Our initial findings are that it just "doesn't work" and can't handle that scenario. This feels implausible to me, but we haven't found a way around it. Old documentation says that this scenario just doesn't work (which means whole categories of use simply aren't possible... like no mobile or LANless businesses.) New documentation removes the wording that says that you can't do this, but just ignores it entirely without stating a way to make it work.
Has anyone played with this and found a way around this limitation of identifying the end points by IP address? We want to use a GUID ideally, not an IP that is expected to not be unique.
-
https://groups.google.com/forum/#!topic/wazuh/RDuRA832UKE
That's a place to start.
-
I've not seen anything that suggest DHCP agents are supported. Seems static assignment only.
-
Can you create an index per customer? Graylog lets you define streams which are set to indices and inputs for those streams. Then your alerts can be set up on the streams which give you real time alerts from your rules.
-
@stacksofplates said in Wazuh with Agents with Overlapping IP Addresses:
Can you create an index per customer?
That would be awesome. But not that I know of.
-
@DustinB3403 said in Wazuh with Agents with Overlapping IP Addresses:
I've not seen anything that suggest DHCP agents are supported. Seems static assignment only.
DHCP is not the issue. It's having the same internal IP address which is the issue.
-
