I have a Red Hat 6 Linux node running LEM Agent 6.2.1 and Console 6.2.1.
The agent connects with the manager and shows the connection as good. I can see data in the nDepth query coming from the host.
The Insertion IP comes from what we call the public ethernet interface. This is the IP address associated with an interface on the host and is returned when DNS look ups are executed. The Detection IP listed as what we call a Private interface which is not listed in DNS and is used for private communications between nodes in a cluster.
Here is an example:
Event Name: UserLogoff
EventInfo: PAM User Logoff "oracle" for service "/bin/su" InsertionIP: PUBLIC.DOMAIN.com Manager: MANAGER DetectionIP: PRIVATE.IP.ADDRESS.HERE InsertionTime: 8:50:11 Thu Mar 31 2016 DetectionTime: 8:50:10 Thu Mar 31 2016 Severity: 3 ToolAlias: Linux Auditd InferenceRule: ProviderSID: USER_END 15896 ses=4294967295 ExtraneousInfo: exe="/bin/su", result: success SourceAccount: SourceDomain: SourceLogonID: DestinationAccount: oracle DestinationDomain: DestinationLogonID: 4294967295 DestinationAccountType: SourceMachine: DestinationMachine: PrivilegesExercised: LogonType: IsThreat: false
I want the Detection IP to be the public interface.
The effect of this, is that the public named node shows connected, but doesn't show any events logged. Selecting Node Details shows no events. When selecting Node Details for the Private IP node it shows events being recorded. I have tried deleting the Private IP node in the Manage Nodes screen, but as soon as more data is sent the Private IP node is recreated.
Is there some way to limit the LEM agent to use the Public IP to send data? It's already the default gateway for the host, what else do I need to do?