How to make ossec agent and ossec server communicate over TCP?
If you are familiar with ossec, you must be aware that ossec agent and ossec server communicates over UDP, but sometimes due to some reasons UDP is not the option, and you feel the need of TCP which ossec doesn't provide as of now.
I am using the following architecture, but you may modify to your needs, with basic understanding of socat.
Machine B is used as a via for all the logs to go through. Run socat as follows:
socat at Machine A : socat udp4-listen:1514,fork,reuseaddr tcp4:<ip of machine B>:9999
socat at Machine B : socat tcp4-listen:9999,fork,reuseaddr udp4:<ip of machine C>:1514
:x and :number signifies port no with 'x' a variable port no
Since initially ossec agent and ossec server communicate both ways, when agent share the key with server for the authentication, and socat makes 2-way tunnel, so socat is very useful in this scenario.
Normally at ossec server, you make the entry of the ossec agent with an agent name and agent's IP and logs start coming. It works when agent machine is communicating directly with ossec server, but since the architecture is different now, you need to make entry at ossec-server, with an agent name as usual of your choice but with an IP of machine B instead of machine A(ossec-agent). It is because, ossec server need the key of the agent machine directly from it, for which it has been assigned. Now simply provide the key generated for machine B's IP to the machine A ossec-agent.
And don't forget to point the ossec-agent at machine A to 127.0.0.1
In order to get rid of intermediate machine B, you might think of directing the socat at Machine A directly to Machine C and run another socat to send data to localhost, but it doesn't work, might be due to the reason that ossec-server has already entry for localhost for receiving local machines logs. If you find a way around this, let me know.
Another functionality of machine B could be that, it can receive data via TCP connections from multiple ossec agents and relay all of it to ossec server.
For each continuous flow of UDP packets being received by socat at machine A, it creates corresponding TCP connection with machine B and terminates it, because since UDP doesn't has any EOF parameter, socat waits for 0.5 seconds and terminates the connection. So you might see many TCP connections originating from random port at machine A for machine B and also terminating swiftly. In case you see too many TCP connections at machine B in hung state of LAST_ACK, it might be due some firewall at machine A preventing the last finish ack to reach machine B.
For debugging purposes in your environment, use tcpdump on linux and wireshark on windows for capturing traffic, and provide -d -d -d parameters to socat. You might need rawcap for capturing localhost traffic on windows.
