OSSEC Agent Installation on Linux
Download the ossec agent and issue the below command
tar xf ossec-hids-2.8.1.tar.gz
It will be unpacked into a directory called ossec-hids-2.8.1. Go to that directory.
Then start the installation.
Select agent mode while OSSEC installation on server machines and end hosts.
Set the configuration path (/var/ossec is by default)
Enter the IP address of the OSSEC server/manager (Example:192.168.1.10)
Enable Integrity check feature of OSSEC in client mode.
Enable the rootkit detection and active response features
Press “Enter” button to start installation process.
Following window shows the start/stop scripts and configuration path for OSSEC. Press “Enter” button to complete the installation process.
Add Agent to Server and Extract Its Key
On the OSSEC server, start the process of adding the agent.
You will then be presented the options shown below. Choose “A” to add an agent.
(A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit.Choose your action: A,E,L,R or Q: A
Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server.
For the ID, you may accept the default by pressing ENTER.
When you enter all three fields, enter y to confirm.
- Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: agentUbuntu * The IP Address of the new agent: your_agent_ip *
An ID for the new agent:Agent information: ID:001
IP Address:188.8.131.52 Confirm adding it?(y/n): y
After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, Make sure you copy it, because you’ll have to enter it for the agent.
... Choose your action: A,E,L,R or Q: e
Available agents: ID: 001,
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw **
Press ENTER to return to the main menu.
After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.
... Choose your action: A,E,L,R or Q: q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..
Import The Key From Server to Agent
This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:
You’ll be presented with these options:
(I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i
After typing the correct option, follow the directions to copy and paste the key generated from the server.
Agent information: ID:001 Name:test IP Address:184.108.40.206 Confirm adding it?(y/n): y
Added.** Press ENTER to return to the main menu.
Back to the main menu, type q to quit:
Choose your action: I or Q: q
This completes the agent installation in Linux.