Friday , June 22 2018
Home / Information Security / Configuring OSSEC Clients with OSSIM
ossec

Configuring OSSEC Clients with OSSIM

Print Friendly

Adding OSSEC Agents for Vulnerability and Files Integrity Scanning:

In this tutorial I’ll be installing OSSEC agents on Windows and Linux Client machines to be monitored by OSSIM SIEM. For configuring OSSEC clients with OSSIM, we need OSSEC agent be downloaded and installed on hosts, but first, we’ll enable/activate OSSEC Plugin on OSSIM Server.

To enable OSSEC Plugin on OSSIM Server, follow the steps shown below:
1- Goto:

Configure Sensor     >     Configure Data Source Plugins    >     Select “ossec-single-line”(if not already enabled)   >   select OK

OSSEC-1

OSSEC-2

OSSEC-3
2- Go Back to Main Screen and Select “Apply All Changes” and Select OK,

OSSEC-4

3- Select “YES” on next confirmation Screen.

OSSEC-5

4- It may take some time to complete and restart server as shown below:

OSSEC-6

 

Generate OSSEC Client Keys:

1- Select “Jailbreak System” and then “OK”.

OSSEC-7
2- Execute following Command to add OSSEC agent:

 # /var/ossec/bin/manage_agents
– Enter “A” to Add new OSSEC Agent.
– Provide Required information like ClientName to Show, IP Address and ClientID (leave default if not want to change).
– Press “y” to save the information of client.

OSSEC-8
3- Now Extract Client Key by entering following command again:

 # /var/ossec/bin/manage_agents
– Enter “E” to Extract client’s Key.
– Enter Client’s ID, in my case it is 001 as shown below:
– Copy the extracted key as shown below and exit.

OSSEC-9

Restart OSSEC Control Services by:

# /var/ossec/bin/ossec-control restart

Installing OSSEC Agent on Windows Host:

Download latest stable release of OSSEC Agent for windows from following link:

>>>   http://www.ossec.net/?page_id=19   <<<

1- Execute downloaded “ossec-agent-win32XXXX.exe” file.

OSSEC-10
1- Enter IP Address of OSSIM Server and Key Generated and Extracted in Step 3 above and Click Save.

OSSEC-11
2- Start the OSSEC client on Client Host to start sending Files integrity alerts to OSSIM Server.

OSSEC-12
3- Restart OSSIM Server’s Agent by:

/var/ossec/bin/ossec-control restart

 

Installing OSSEC Agent on Linux/Unix Host:

The OSSEC agent will be required to be built from source code files on the linux OS. Many production Linux systems will have the code compilation tools removed from them however.
Acquiring a basic software build environment will depend upon the Linux platform you install to deploy on, but at a minimal will require a C compiler, and basic Kernel and LibC include files. These may be installed via the appropriate package manager commands.

For Debian-Based-Systems: (e.g. Ubuntu)

# sudo apt-get install build-essential

For Redhat -Based-Systems: [e.g CentOS]

# yum groupinstall “Development Tools” -y
# yum install kernel-devel –y

Change the working directory to a location suitable for building and installing software from:

# cd /usr/src

Download latest version available, currently, 2.7 is the latest version.

# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

Extract the downloaded archive using tar:

 #  tar –xzvf ossec-hids-2.7.tar.gz

Change Directory to OSSEC-Agent and Compile Script:

# cd ossec-hids-2.7

# /bin/bash ./install.sh

 

Ubuntu uses /bin/dash as the default shell – this will cause the installer to break and install the server component of OSSEC instead of the agent as requested – the use of directly calling /bin/bash in the command above prevents this error from occurring.

– Pick your language for OSSEC, default is English and is what I’ve selected.

OSSEC Linux 2

– Press Enter key to begin the Installation.

OSSEC Linux 3

– Select “Installation Type” as   ” Agent“.

OSSEC Linux 4

– Enter the path where to install OSSEC client, default location is /var/ossec.

OSSEC Linux 5

– Enter the IP Address or Host Name of the OSSIM Server. Remember, in case of using Hostname, DNS or local hosts file must have IP of the OSSIM host name.

OSSEC Linux 6

– In next steps:

–  Choose whether you want File Integrity Check to be enabled or Not.

– Choose whether you want Rootkit Detection enabled or not.

– Choose whether you want to run the Active Response Engine (enables execution of external commands when particular alerts trigger)

– Then OSSEC will display configured options:

OSSEC Linux 9

– Now installation Script will start installation of OSSEC Client Agent.

– If no Dependency issue arise, setup will be finished smoothly and press Enter to Finish when asked for as shown below:

OSSEC Linux 10

 

Configuring Client:

– First of all generate Client Key using Steps shown above.

– Now on client, being a Root user, execute the following command to add Generated OSSEC client key for communication with OSSIM Server.

# /var/ossec/bin/manage_agents

OSSEC Linux 11

– Enter ‘I’ to import key from Server
– Provide the Client Key extracted from the server previously:

OSSEC Linux 12

– Confirm when asked that key is correct.

– Quit the OSSEC Agent Management Tool by entering Q.

– Restart OSSEC Agent on Client Host by following command:

#  /var/ossec/bin/ossec-control restart

– After Configuring OSSEC Agents, it is recommended to Restart OSSEC Agent on OSSIM Server as well. Use the same procedure used above by Jailbreak into the OSSIM Console or you can also use OSSIM Server Web Interface for that.

Go To:

Environment >  Detection  >  OSSEC Control

Click “Restart” as shown in below Figure.

OSSEC Linux 13

About Muhammad Attique

  • hamza

    Thank you for the help you gave me great help

  • afiqah

    hi. im having difficulty how to view collection of logs from alienvault ossim using jailbreak system (command line)

  • Muhammad Attique

    Hi Afiqah,

    How are you viewing the logs ? what error are you facing specifically ?

  • Abir Hamzi

    Hi,is there any configuration for PRADS for ossim v 5.3 ?