how to configure ossec headless linux agent

[Kris Springer]

I've got Windows Ossec agents figured out, but I can't seem to find any good instructions on how to configure Linux agents.

I installed the ossec agent on one of my linux boxes (ubuntu server) as instructed here.

https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian

wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

sudo apt update

sudo apt-get install ossec-hids-agent

That seemed to install fine, but where do I define the server and enter the agent key?  And how do I start the agent?

The documentation found here isn't very helpful.

https://www.ossec.net/docs/

I found a 'sample' ossec.conf file in /var/ossec/etc/

Is that what I'm supposed to edit?

service ossec status shows it's 'inactive'.  Am I supposed to manually start it?

The documentation seems inadequate.  Can someone please give me some specifics?

[dan (ddp)]

The configuration is in `/var/ossec/etc/ossec.conf`
Add a key with `/var/ossec/bin/manage_agents` or with
`/var/ossec/bin/agent-auth`

Sorry about the documentation, I've been busy.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/d58a0a9c-1c79-4e64-b922-a43066a4a280%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Kris Springer]

Thanks Dan.  I've got it figured out now.  Here's my instructions for anyone else who comes across this thread.

----------------------------------------------------

The Security Onion server already has the Ossec Server running.  You must define each client, called an ‘agent’ that is allowed to send info to the server.  

On the Security Onion Server

You must make sure UDP port 1514 is allowed on the server or it won’t allow agents to connect.

$ sudo ufw status

$ sudo ufw allow 1514/udp

$ sudo ufw status

Add a new agent (client machine)

$ sudo /var/ossec/bin/manage_agents

L lists all agents (clients) that are currently configured

A add an agent

Name the new agent. This can be any name, but ideally it should be the FQDN if its a server.

Define the static IP the agent will be coming from.  It must have the subnet slash on the end.

Every agent gets a unique 3 digit ID number.

Click here to see all syntax options

[sample]

LinuxServer1

10.11.12.33/24   (can also be ‘any’ if on DHCP. see syntax options)

L to see the newly added agent in the list.

E to get the Auth Key you need to copy and apply when installing on the client

Q to quit the manager.

Note: if removing agents, their ID numbers are not reusable.

On the Linux Client machine (also known as the agent)

Install instructions found here http://www.ossec.net/downloads/

$ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

$ sudo apt update

$ sudo apt install ossec-hids-agent

Define the Security Onion Server IP address.

$ sudo nano /var/ossec/etc/ossec.conf

Import the Auth Key that you copied from the server.

$ sudo /var/ossec/bin/manage_agents

Start the ossec agent service.

$ sudo service ossec start

$ sudo service ossec status

Check the logs to make sure it connected to the server.  

You may also see a few access errors for non-existent log files.  

$ sudo cat /var/ossec/logs/ossec.log

View some logs on Security Onion Server

Check the ‘HIDS’ alerts in Kibana to see if your new agent shows up as a new connection.

 

[dan (ddp)]

Thanks for including your notes (some comments in-line).
I'll try to add some kind of walk through to the documentation when I
can make time for it.

On Thu, May 30, 2019 at 2:53 PM Kris Springer
<kspr...@innovateteam.com> wrote:
>
> Thanks Dan. I've got it figured out now. Here's my instructions for anyone else who comes across this thread.
> ----------------------------------------------------
>
> The Security Onion server already has the Ossec Server running. You must define each client, called an ‘agent’ that is allowed to send info to the server.
>
>
> On the Security Onion Server
>
> You must make sure UDP port 1514 is allowed on the server or it won’t allow agents to connect.
>
> $ sudo ufw status
>
> $ sudo ufw allow 1514/udp
>
> $ sudo ufw status
>
>
> Add a new agent (client machine)
>

This is actually the manage_agents menu from the server.
The agent's manage_agents should only have:
****************************************
* OSSEC HIDS v3.2.0 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.

> $ sudo /var/ossec/bin/manage_agents
>
> L lists all agents (clients) that are currently configured
>
> A add an agent
>
> Name the new agent. This can be any name, but ideally it should be the FQDN if its a server.
>
> Define the static IP the agent will be coming from. It must have the subnet slash on the end.
>

If that's true, then there is a regression somewhere (or it's a wazuh change).
It's never needed the subnet stuff on complete IP addresses in the past.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/1b285f8a-ba13-45fd-9ce8-85ad6936b42c%40googlegroups.com.