Professional Documents
Culture Documents
Step 1. Installing ossec as agent on a system(client) Step 2. Adding agent on alienvault-ossim using dashboard & extracting key for communication b/w server and client(agent). Step 3. Importing authentication key into client side.
1. Download the latest version and verify its checksum :
# wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz # wget http://www.ossec.net/files/ossec-hids-2.6_checksum.txt # cat ossec-hids-2.6_checksum.txt MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e MD5 (ossec-agent-win32-2.6.exe) = 7d2392459aeab7490f28a10bba07d8b5 SHA1 (ossec-agent-win32-2.6.exe) = fdb5225ac0ef631d10e5110c1c1a8aa473e62ab4 # md5sum ossec-hids-2.6.tar.gz MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a # sha1sum ossec-hids-2.6.tar.gz SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e 2. Extract the compressed package and run the ./install.sh script. (Installation script will start) # tar -zxvf ossec-hids-*.tar.gz # cd ossec-hids-* # ./install.sh ** ** ** ** ** ** ** ** ** ** ** ** Para instalao em portugus, escolha [br]. , [cn]. Fur eine deutsche Installation wohlen Sie [de]. , [el]. For installation in English, choose [en]. Para instalar en Espaol , eliga [es]. Pour une installation en franais, choisissez [fr] Per l'installazione in Italiano, scegli [it]. [jp]. Voor installatie in het Nederlands, kies [nl]. Aby instalowa w jzyku Polskim, wybierz [pl]. , [ru].
** Za instalaciju na srpskom, izaberi [sr]. ** Trke kurulum iin sein [tr]. (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en OSSEC HIDS v2.6 Installation Script - http://www.ossec.net
1- What kind of installation do you want (server, agent, local or help)? agent - Agent(client) installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec - Installation will be made at /opt/ossec . 3- Configuring the OSSEC HIDS. 3.1- What's the IP Address of the OSSEC HIDS server?: 169.144.105.90 - Adding Server IP 169.144.105.90 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4 - Do you want to enable active response? (y/n) [y]: 3.5- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/auth.log -- /var/log/syslog -- /var/log/vsftpd.log -- /var/log/mail.info -- /var/log/dpkg.log -- /var/log/apache2/error.log (apache log) -- /var/log/apache2/access.log (apache log) 4- Installing the system - Running the Makefile INFO: Little endian set. . . <Output Truncated> - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /opt/ossec/bin/ossec-control start - To stop OSSEC HIDS: /opt/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /opt/ossec/etc/ossec.conf
3. Extracting key for the new agent by clicking on the Golden Key Icon under actions section.
Method 2. Using Terminal on server side to add agent 1. # /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.6 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: test1 * The IP Address of the new agent: 169.144.105.91 * An ID for the new agent[001]: 001
Agent information: ID:001 Name:test1 IP Address:169.144.105.91 Confirm adding it?(y/n): y 2. Extracting agent key **************************************** * OSSEC HIDS v2.6 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents:
ID: 001, Name: test1, IP: 169.144.105.91 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDAxIHRlc3QxIDE2OS4xNDQuMTA1LjkxIGY2MmE2OTZlYWUxM2JjNzBmNjY4Zj MxOTA1Mzk3N2VhZTdmYjU2ZTI5MWRjNDc4MmYzN2NmMGM3NDhiMTE3NzA =
After adding ossec agent on client restart both the server and client to make them communicate: on client terminal : # /var/ossec/bin/ossec-control start on server terminal: # /var/ossec/bin/ossec-control restart