ossec in security onion
Aj Navarro
but how can i installed ossec in the Sec Onion Monitor, like ossec server or ossec agent?
Wes
> if i understand, i need to install ossec agents in the hosts i needed to monitoring.
>
> but how can i installed ossec in the Sec Onion Monitor, like ossec server or ossec agent?
Aj,
You can find an overview of the process of installing an OSSEC agent here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#adding-agents
You can choose to associate the agent with a master server or sensor, by creating that agent on the respective machine -- from there on the OSSEC manager on the machine will be associated to and communicate with the agent on the device, and OSSEC on the machine (server/sensor) will generate alerts according to the rule levels defined in /var/ossec/etc/ossec.conf
You will then see these OSSEC alerts via ossec_agent in Sguil/Squert/ELSA.
Thanks,
Wes
Aj Navarro
1) Install ossec agent in the server i got monitoring
2) Install ossec server in the security onion server (ossec agent send the logs to the ossec server)
3) Configuring ossec.conf in server to associated with security onion server
4) see the alerts in Sguil
Wes
Aj,
OSSEC is already installed by default in Security Onion (manager and its own agent) (for server & sensor).
All you need to do is setup the agent configuration on the server or sensor for which you wish to associate the agent with, extract the key, install the agent on the endpoint device, add the key and IP address of the server it is to report to, then restart the agent on the device. If all is well, everything should be happy and you should see alerts as they fire in Sguil, etc.
You may not see alerts right away, but you can change the alerting level in ossec.conf to test for this, or check the agent connection where the OSSEC manager resides, or check the local OSSEC agent log on the endpoint device to ensure it is communicating correctly.
http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html
Keep in mind, you may need to run "sudo so-allow" on the server/sensor to which you are associating the OSSEC agent, in order to ensure the necessary ports are open for communication:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall#so-allow
Thanks,
Wes
Wes
Before doing any of this, run "sudo so-allow" on the machine (Security Onion server or sensor) the OSSEC agent will report to.
Choose "o" for OSSEC agent and enter the IP address of the endpoint device.
1. Run /var/ossec/bin/manage_agents on the server/sensor you want to configure the agent to report to.
2. Press "A" to add an agent
3. Provide a name for the agent
4. Configure the IP address for the agent.
5. Ensure the ID is okay for the agent (this is what you will use to extract the key later).
6. Confirm the addition of the agent. (Y)
6. From the same menu (/var/ossec/bin/manage_agents), press "E" to extract the key for the agent.
7. Enter the ID of the agent, and confirm.
8. Copy the key for the agent.
9. Install the agent (executable/pkg) on the endpoint device.
http://ossec.github.io/downloads.html
10. Run the agent and provide the server IP and agent key.
11. Restart the agent.
That should get you up and running.
Thanks,
Wes