Posted by: Eric Hansen
HIDS, IDS, linux, OSSEC
In my previous post, Minimalistic HIDS: OSSEC, I gave a guide on how to install the OSSEC server on Linux. While the server has a built in agent (so you can monitor the server’s activities itself), if you have more than one Linux machine to monitor, you’ll need to install agents on those machines as well.
Step 1: Add the agent to the server
You’d think installing the agent on the machine would be first, right? Not with OSSEC. What you actually need to do, before anything else, is set up a new agent on the server. So, fire up your SSH session and get ready for some fun. For this, go to where you installed OSSEC (I’ll be using /var/ossec/ here), and go to the bin directory (/var/ossec/bin/). Inside, run the manage_agents file (“./manage_agents”).
From there, enter “a” (without quotes, and it’s not case sensitive) to add an agent to the server. The first thing it’ll prompt you for is a name of the agent. I put in the host name of the machine, as it makes things easier later on.
The next thing it’ll want is the IP of the agent. This field is a little tricky. If it gets it’s IP from a DHCP server, you’ll need to use the CIDR format (i.e.: if the machine’s IP is currently 192.168.1.100, you’ll have to use 192.168.1.0/24 if it’s on a 255.255.255.0 subnet). This is due to how OSSEC works, and quite honestly, I can’t explain it beyond that…but, I scratched my head a lot at first.
Lastly, it’ll prompt you for an ID for the host. This has to be an ID not currently used. Also, please be aware that in any future OSSEC tasks requiring the ID of the agent, any trailing 0′s are required (so if you give the ID 003, you need to have 003 for any ID requests). This makes sense, but is also kind of annoying at the same time. After that, it’ll ask you to confirm, so type “y” and hit enter.
Step 2: Get the authorization key for the agent
While you could restart the server (which is required to for it to see new agents), we’ll do that later. Instead, we’ll get the authorization key for it. After adding the agent, it should return you to the main menu of the program. This type, hit “e” and enter. This will list all the available agents it’s registered to. Enter the ID of the agent, and hit enter. You’ll see text appear for the agent key. Copy and paste this into a document somewhere, as you’ll need this later, and exit out of the manage_agents program. From here, restart OSSEC before continuing on to make sure OSSEC is refreshed.
Step 3: Set up the agent
Here, I’m going to assume you already downloaded and untar’ed the compressed file (this step is #1 in my first guide linked above). So, I’m going to skip straight to the installation step.
Inside of the downloaded and untared OSSEC folder, run install.sh and choose your language preference again. If you are deciding for some reason to install an agent on a server that already has OSSEC installed (which wouldn’t be necessary as all the other types already install an agent), say no to upgrading OSSEC. Otherwise, choose agent as your install. It’ll ask you if you want to install it into (by default /var/ossec/), I chose the default path, which is what I’ll be using in all my guides for OSSEC anyways. After that, it’ll ask you for the IP address of the OSSEC server. Put in the actual IP address of the server (not a CIDR-notated IP). For the sake of consistency, I’m installing all the default options here as well. After this, it will compile OSSEC and install it into the path specified.
Step 4: Import the agent key
On the new agent, run manage_agents from /var/ossec/bin/, and choose “I”. From there, paste in the authentication key you received from the server once you added the agent there. Once you paste the code, it’ll ask if you want to confirm the addition, tell it yes. After this, restart the agent (/var/ossec/bin/ossec-control restart), and OSSEC should start monitoring the agent.
To make sure that the agent is working properly, check to make sure there’s no “cannot connect to server” type errors in /var/ossec/logs/ossec.log.