We are running OSSEC as a client-server model. ClientA & ClientB servers are web servers behind a load balancer. They both send information to a single OSSEC server (ServerA), where it invokes an active-response (i.e. dynamic IP blocking) accordingly.
clientA (OSSEC agent) --> ServerA (OSSEC server)
clientB (OSSEC agent) --> ServerA (OSSEC server)
The active-response feature of OSSEC works great for the most part. However the problem is that even though clientA & clientB are "clustered," the OSSEC server will block the offending IP of an end-user pertinent to each client.
Meaning, if ServerA blocks an end-user IP of 1.2.3.4 on clientA, that same action is not reflected on clientB.
After reading through the OSSEC manual, I'm pretty sure there isn't a way to address this scenario. Or is there?
If there isn't, I was seeking advice or suggestions from the community to see if there's an alternative way to handle it.
Thank you.