InstalI OSSEC Agent

[Adiel Navarro]

Can I install the ossec agent on a non-global zone in Solaris 10?

Or its necessary to install the agent on a global zone?

 

[Santiago Bassett]

I haven't personally test it but I would say yes, you should be able to install an agent on a non-global zone. 

I guess you just need to be sure that the agent has access to the resources you want to monitor such as log files, config files (Rootchecks) or binaries (FIM).

I hope it helps,

Santiago.  

On Mon, May 2, 2016 at 2:41 PM, Adiel Navarro <adiel....@mail.telcel.com> wrote:

Can I install the ossec agent on a non-global zone in Solaris 10?

Or its necessary to install the agent on a global zone?

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/00fd01d1a4bb%2474e80f60%245eb82e20%24%40mail.telcel.com.
For more options, visit https://groups.google.com/d/optout.

[Adiel Navarro]

Trying to install OSSEC agent in a Solaris 5.10 (non-global zone) the next message appears:

 

./Makeall: test: argument expected

*** Error code 1

The following command caused the error:

/bin/sh ./Makeall all

make: Fatal error: Command failed for target `all'

 

What happened here?

[Santiago Bassett]

targets can be server/agent/hybrid/local. try choosing agent

Try this:

make TARGET=agent

More info at: 

http://ossec-docs.readthedocs.io/en/latest/development/build/makefile.html

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/001201d1a590%2408f96210%241aec2630%24%40mail.telcel.com.

[Adiel Navarro]

I choosen agent, and the error continues.

[Adiel Navarro]

This is the layout when I tried to install OSSEC like “agent”

 

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en

cat: cannot open /etc/resolv.conf

cat: cannot open /etc/resolv.conf

OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.

You must have a C compiler pre-installed in your system.

If you have any questions or comments, please send an e-mail

to dc...@ossec.net (or danie...@gmail.com).

  - System: SunOS 5.10

  - User: root

 

 

  -- Press ENTER to continue or Ctrl-C to abort. --

 

 

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

 

  - Agent(client) installation chosen.

 

2- Setting up the installation environment.

 

- Choose where to install the OSSEC HIDS [/var/ossec]:

 

    - Installation will be made at  /var/ossec .

 

3- Configuring the OSSEC HIDS.

 

  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 10.188.61.16

 

   - Adding Server IP 10.188.61.16

 

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

 

   - Running syscheck (integrity check daemon).

 

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

 

   - Running rootcheck (rootkit detection).

 

  3.4 - Do you want to enable active response? (y/n) [y]: y

 

 

  3.5- Setting the configuration to analyze the following logs:

    -- /var/log/authlog

    -- /var/log/syslog

    -- /var/adm/messages

 

- If you want to monitor any other file, just change

   the ossec.conf and add a new localfile entry.

   Any questions about the configuration can be answered

   by visiting us online at http://www.ossec.net .

  

   

   --- Press ENTER to continue ---

                           

 

 

5- Installing the system

- Running the Makefile

./Makeall: test: argument expected

*** Error code 1

The following command caused the error:

/bin/sh ./Makeall all

make: Fatal error: Command failed for target `all'

 

Error 0x5.

Building error. Unable to finish the installation.

 

 

 

De: Adiel Navarro [mailto:adiel....@mail.telcel.com]
Enviado el: miércoles, 04 de mayo de 2016 09:23 a.m.
Para: 'Santiago Bassett'
CC: 'Wazuh mailing list'
Asunto: RE: InstalI OSSEC Agent

 

I choosen agent, and the error continues.

 

 

 

De: Santiago Bassett [mailto:sant...@wazuh.com]
Enviado el: martes, 03 de mayo de 2016 06:09 p.m.
Para: Adiel Navarro
CC: Wazuh mailing list
Asunto: Re: InstalI OSSEC Agent

 

targets can be server/agent/hybrid/local. try choosing agent

[Adiel Navarro]

I installed an agent on Solario 510 server, and edit ossec.conf file to montoring some directories.

 

In the OSSEC WUI I can see the agent active but only reports the change on the ossec.conf file.

Checking the logs for OSEEC I see the next messages:

 

2016/05/04 15:07:31 ossec-agentd(4102): INFO: Connected to the server (10.188.61.166:1514).

2016/05/04 15:07:34 ossec-syscheckd: INFO: Started (pid: 13441).

2016/05/04 15:07:34 ossec-rootcheck: INFO: Started (pid: 13441).

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/var'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/etc'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/export/root/Adiel/home'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/bin'.

2016/05/04 15:07:34 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/var'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/etc'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/bin'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/usr/sbin'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/export/root/Adiel/home'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/bin'.

2016/05/04 15:07:34 ossec-syscheckd: WARN: Ignoring flag for real time monitoring on directory: '/sbin'.

2016/05/04 15:07:36 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/authlog'.

2016/05/04 15:07:36 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/syslog'.

2016/05/04 15:07:36 ossec-logcollector(1950): INFO: Analyzing file: '/var/adm/messages'.

2016/05/04 15:07:36 ossec-logcollector: INFO: Started (pid: 13437).

2016/05/04 15:08:36 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).

2016/05/04 15:08:36 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

2016/05/04 16:07:26 ossec-agentd: INFO: Event count after '20000': 4354483->3495216 (80%)

 

Its really working the agent?

Why cannot see changes on another directories in the WUI?

 

[Santiago Bassett]

Hi Adiel,

it looks like it is working. Although file changes wont' trigger alerts in realtime. This works on Linux because kernels support inotify (API for monitoring files). I don't think Solaris kernels do support it, that is probably the reason why you have those warnings.

Try removing the realtime option from your ossec.conf. Also try changing the syscheck frequency to a value lower than default (I think default is around 20 hours). You can probably set it to 600 seconds, so it alerts you every 10 minutes. 

Just for you info, lowering frequency to less than 300 seconds won't be effective as checks will wait at least that to run again after their are done (hardcoded). 

On the other hand, what WUI are you using? Did you set up ELK integration or just using default OSSEC one?

I hope it helps!

Santiago.

[Adiel Navarro]

Thanks Santiago.

 

I just using default OSSEC WUI, that its included in the OVA

 

How can I install/activate ELK integration?

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de Santiago Bassett
Enviado el: miércoles, 04 de mayo de 2016 04:54 p.m.
Para: Adiel Navarro
CC: Wazuh mailing list
Asunto: Re: InstalI OSSEC Agent

 

Hi Adiel,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEb-Ba-30KFd-ce8aDqAegu0zTQieTSxQSjjmzCiC8BiZBN55Q%40mail.gmail.com.

[Santiago Bassett]

Hi Adiel,

when using ELK you would need to upgrade to our fork (which is not part of the OVA). You can do it downloading it from github and running ./install script. Then you would need to choose if you want to run ELK locally in the same VM or in another one. I would recommend the second option (a new system) as it will provide better performance (unfortunately ELK makes intense RAM memory usage). 

Another possibility, if you don't want to go through the hassle of upgrading OSSEC/installing ELK, you can also run our OSSEC-ELK Docker container which comes with everything by default.

In comparison with OSSEC WUI, ELK will provide you an alerts management interface, with indexing and searching capabilities. I definitely recommend it.

I hope it helps,

Santiago.