Category Archives: Agent

OSSEC Agent installation in Linux Step by Step

OSSEC Agent Installation on Linux 

Step 1

Download the ossec agent and issue the below command

tar xf ossec-hids-2.8.1.tar.gz

 Step 2

It will be unpacked into a directory called ossec-hids-2.8.1.                 Go to that directory.

cd ossec-hids-2.8.1/

 Step 3

Then start the installation.

Select agent mode while OSSEC installation on  server machines and end hosts.

OSSEC-Agent-Linux-1

 

 

 

Step 4

Set the configuration path (/var/ossec is by default)

OSSEC-Agent-Linux-2

 

 

Step 5

Enter the IP address of the OSSEC server/manager (Example:192.168.1.10)

OSSEC-Agent-Linux-3

 

 

Step 6

Enable Integrity check feature of OSSEC in client mode.

OSSEC-Agent-Linux-4

 

Step 7

Enable the rootkit detection and active response features

OSSEC-Agent-Linux-5

 

OSSEC-Agent-Linux-6

 

 

 

Step 8

Press “Enter” button to start installation process.

OSSEC-Agent-Linux-7

 

 

 

Step 9

Following window shows the start/stop scripts and configuration path for OSSEC. Press “Enter” button to complete the installation process.

OSSEC-Agent-Linux-8

 

 

 

 

 

Step 10

Add Agent to Server and Extract Its Key

On the OSSEC server, start the process of adding the agent.

/var/ossec/bin/manage_agents

You will then be presented the options shown below. Choose “A” to add an agent.

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.Choose your action: A,E,L,R or Q: A

Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server.

For the ID, you may accept the default by pressing ENTER.

When you enter all three fields, enter y to confirm.

- Adding a new agent (use '\q' to return to the main menu).  Please provide the following:   * A name for the new agent: agentUbuntu   * The IP Address of the new agent: your_agent_ip   *
An ID for the new agent[001]:Agent information:   ID:001
Name:agentUbuntu
IP Address:111.111.111.111 Confirm adding it?(y/n): y

Agent added.

Step 11

 After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, Make sure you copy it, because you’ll have to enter it for the agent.

... Choose your action: A,E,L,R or Q: e

Available agents:   ID: 001,

Name: agentUbuntu,

IP: 111.111.111.111

Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw **
Press ENTER to return to the main menu.

Step 12

After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.

... Choose your action: A,E,L,R or Q: q 
** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..

Step 13

Import The Key From Server to Agent

This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:

sudo su

Then type:

/var/ossec/bin/manage_agents

You’ll be presented with these options:

   (I)mport key from the server (I).   (Q)uit.
Choose your action: I or Q: i

After typing the correct option, follow the directions to copy and paste the key generated from the server.

Agent information:   ID:001   Name:test   IP Address:104.236.222.251 Confirm adding it?(y/n): y

Added.** Press ENTER to return to the main menu.

Back to the main menu, type q to quit:

Choose your action: I or Q: q

This completes the agent installation in Linux.

Share this:

OSSEC Agent Installation in windows Step-by-Step

Installing OSSEC agent in a Windows server

Step 1

Create a new OSSEC key for the agent from the Server

Step 2

manage_agents on the OSSEC server

The server version of manage_agents provides an interface to:

  • add an OSSEC agent to the OSSEC server
  • extract the key for an agent already added to the OSSEC server
  • remove an agent from the OSSEC server
  • list all agents already added to the OSSEC server.

Step 3:

To add an agent type the below command

/var/ossec/bin/manage_agents

The manage_agents menu:

 

****************************************
* OSSEC HIDS v2.5-SNP-100809 Agent manager.*
* The following options are available:*
***************************************

 

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).   
(R)emove an agent (R).   
(Q)uit.
Choose your action: A,E,L,R or Q:

Type the  letter and hit enter will initiate that function.

Step 4:

Adding an agent

To add an agent type a in the start screen:

Choose your action: A,E,L,R or Q: A 

You are then prompted to provide a name for the new agent. This can be the hostname or another string to identify the system. In this example the agent name will be agent1.

Adding a new agent (use '\q' to return to the main menu).  
Please provide the following:   * A name for the new agent: agent1

After that you have to specify the IP address for the agent

The IP Address of the new agent: 192.168.2.1/32

The last information you will be asked for is the ID you want to assign to the agent.

An ID for the new agent[001]:

As the final step in creating an agent,

you have to confirm adding the agent: Agent information:   ID:002   Name:agent1   IP Address:192.168.2.1/32
Confirm adding it?(y/n): y

Agent added. After that manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen

Step 5:

Extracting the key for an agent

After adding an agent, a key is created. This key must be copied to the agent. To extract the key, use the e option in the manage_agents start screen. You will be given a list of all agents on the server. To extract the key for an agent, simply type in the agent ID. It is important to note that you have to enter all digits of the ID

Choose your action: A,E,L,R or Q: E
Available agents:   ID: 001, Name: agent1, IP: 192.168.2.1/32
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5m

** Press ENTER to return to the main menu.

The key is encoded in the string (shortened for this example) MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5Mm and includes information about the agent. This string can be added to the agent through the agent version of manage_agents.

Step 6:

Download the OSSEC agent for windows and kept in the place where we need to install

OSSEC-Agent-1

 

 

 

 

 

 

OSSEC-Agent-2

 

 

 

 

 

 

OSSEC-Agent-4 OSSEC-Agent-3 OSSEC-Agent-5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OSSEC-Agent-6

 

 

 

 

 

 

Step 7

OSSEC-Agent-6

 

 

 

 

 

 

Step 7

In the OSSEC Server IP column give the IP address of the OSSEC Server

In the Authentication column give the key which we have extracted earlier.

Step 8

OSSEC-Agent-7

 

 

 

 

 

 

Click Save and press manage and restart the OSSEC.

 

 

 

 

 

 

 

 

 

 

Share this: