How to install and configure OSSEC Client/Agent Mode on Linux

ossec-agent
mm
Written By:- Santosh Prasad

OSSEC agent is a small program. Agent installed on the system to be monitored. It collects all information and forward it to the server for analysis and correlation. It also collect some information in real-time and others periodically. By default it has a very small memory and CPU footprint and not affecting the system’s usage and memory.

In this tutorial I am going to install and configure OSSEC Client/Agent mode on system.

To install or know about OSSEC Server mode refer our previous article.

Installing OSSEC Server mode on Linux and UNIX System

Client/Agent Mode

Follow the below steps to install OSSEC client/agents on server.

Server IP :- 192.168.1.5
Client/Agent IP :- 192.168.1.6

# yum install gcc
# cd /root/download/
# wget www.ossec.net/files/ossec-hids-2.8.1.tar.gz
--2017-02-06 04:19:23-- http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
Resolving www.ossec.net... 150.70.191.237
Connecting to www.ossec.net|150.70.191.237|:80... connected.

Now extract the OSSEC compress file and run the install.sh file.

# tar -zxvf ossec-hids-2.8.1.tar.gz
# cd ossec-hids-2.8.1
# ls
BUGS CONFIG CONTRIBUTORS INSTALL LICENSE README.md active-response contrib doc etc install.sh src

# ./install.sh
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin)

** Para instalação em português, escolha [br].
** ?????????, ??? [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** G?a e??at?stas? sta ????????, ep????te [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvu telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** ?????????????.???????.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** ??? ?????????? ?? ????????? ?? ??????? ,??????? [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: [Press Enter]

Select Language default is English.

Next it will show the system detail, system user and host-name.

OSSEC HIDS v2.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to [email protected] (or [email protected]).

- System: Linux client03.example.com 2.6.32-042stab111.12
- User: root
- Host: client03.example.com
-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

Now main part start from here to install OSSEC Client/Agents mode.

Select installation modes and type of OSSEC on the system.

-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

Set the configurations path /var/ossec is default.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: [Press Enter]

- Installation will be made at /var/ossec .

Enter the server IP address (192.168.1.5)

3- Configuring the OSSEC HIDS.

3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.1.5

- Adding Server IP 192.168.1.5

Now enable integrity check for agent.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

Next enable rootkit detection, active response and syslog.

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4 - Do you want to enable active response? (y/n) [y]: y

3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

Press “enter” to start installation process.

5- Installing the system
- Running the Makefile
INFO: Little endian set.

*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
make[1]: Entering directory `/root/download/ossec-hids-2.8.1/src/external'
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
make[2]: Entering directory `/root/download/ossec-hids-2.8.1/src/external/zlib-1.2.8'
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c

Next it show some information like OS Detail Start and Stop OSSEC scripts and OSSEC configurations file.

- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at [email protected] or using our public maillist at
[email protected]
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information below). ---

Press “Enter” to finish the OSSEC Client/Agent installation part.

- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:

/var/ossec/bin/manage_agents

More information at:
http://www.ossec.net/en/manual.html#ma

Now Client/Agent side installation is done.

Connecting Server and Agent

After installing OSSEC agent successfully on the system now you have to connect it to server. Follow the below steps to connecting server and client.

Server Side Configuration

Adding an client :- Follow the below command to add client.

# /var/ossec/bin/manage_agents

You will need to type a to add an agent.

****************************************
* OSSEC HIDS v2.8.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: OSSEC-Client
* The IP Address of the new agent: 192.168.1.6
* An ID for the new agent[001]:
Agent information:
ID:001
Name:OSSEC-Client
IP Address:192.168.1.6

Confirm adding it?(y/n): y

Agent added.

Extract the key for an angent

****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:
ID: 001, Name: OSSEC-Client, IP: 192.168.1.6
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIE9TU0VDLUNsaWVudCAxOTIuMTY4LjAuMTAxIGY0OTNiYzc5NWIwZTFiMmRlN2U4MjhlYmMxYmQxODRiNWJjMzkzNWI4NmU4MmVmNWVkZThlNTMyMWVlYWRiMTU=

** Press ENTER to return to the main menu.

Now copy the Agent Information Key to enter it for the agent.

Agent Side Configuration

Follow the below steps to add agent to server.

# /var/ossec/bin/manage_agents

Type i for import key from the server.

****************************************
* OSSEC HIDS v2.8.1 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIE9TU0VDLUNsaWVudCAxOTIuMTY4LjAuMTAxIGY0OTNiYzc5NWIwZTFiMmRlN2U4MjhlYmMxYmQxODRiNWJjMzkzNWI4NmU4MmVmNWVkZThlNTMyMWVlYWRiMTU=

Agent information:
ID:001
Name:OSSEC-Client
IP Address:192.168.1.6

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

Restart OSSEC Server and Agent

# /var/ossec/bin/ossec-control restart

Check Active Agents List

# /var/ossec/bin/list_agents -c

OSSEC-Client-192.168.1.6 is active.

I hope this article will be helpful to Install and Configure OSSEC Agent/Client on Linux and UNIX System. Read our another article Check level of traffic on website using command line with apache access log and Finding causes of heavy usage on web server using access log. If you have any queries and problem please comment in comment section or you can also ask your question.

Thanks.

About Author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Other Post by Santosh Prasad

Visit All Post

Related Article

You may also Like

Leave a Comment

Shares