Prepare RPMs required by ossec:
libprelude-0.9.24-3.el5.x86_64.rpm ossec-hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm ossec-hids-client-2.5.1-2.x86_64.rpm
Install the main ossec RPMs:
On the ossec server:
yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm
On the ossec agent:
yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ssec-hids-client-2.5.1-2.x86_64.rpm
Make symbolic link on ossec server and agent:
ln -s /etc/init.d/ossec-hids /usr/bin/
Edit ossec.conf, make sure fill this property base on your environment:
On the server:
[root@ossec ~]#vi /var/ossec/etc/ossec.conf <global> <email_notification>yes</email_notification> <email_to>root@localhost</email_to> <smtp_server>127.0.0.1</smtp_server> <email_from>ossec@asyx.com</email_from> </global>
On the agent:
[root@client ~]#vi /var/ossec/etc/ossec.conf <client> <server-ip>192.168.0.2</server-ip> # make sure this your ossec server IP. </client>
Generate key for new agent:
Add agent on the ossec server
[root@ossec ~]# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: client.ossec.net * The IP Address of the new agent: 192.168.1.3 * An ID for the new agent[001]: 001 Agent information: ID:001 Name:client.ossec.net IP Address:192.168.1.3 Confirm adding it?(y/n): y Agent added.
Extract key for an agent
**************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: client.ossec.net, IP: 192.168.1.3 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw== ** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager
On the ossec agent
[root@client ~]# /var/ossec/bin/manage_agents
**************************************** * OSSEC HIDS v2.5.1 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw== Agent information: ID:001 Name:client.ossec.net IP Address:192.168.1.3 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager
note: Libprelude is the Prelude library. Prelude is a Universal "Security Information Management" (SIM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".