How To install and configure OSSEC Server and Client

on


Prepare RPMs required by ossec:

libprelude-0.9.24-3.el5.x86_64.rpm
ossec-hids-2.5.1-2.x86_64.rpm
ossec-hids-server-2.5.1-2.x86_64.rpm
ossec-hids-client-2.5.1-2.x86_64.rpm


Install the main ossec RPMs:




On the ossec server:

yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ossec-hids-server-2.5.1-2.x86_64.rpm


On the ossec agent:

yum localinstall libprelude-0.9.24-3.el5.x86_64.rpm hids-2.5.1-2.x86_64.rpm ssec-hids-client-2.5.1-2.x86_64.rpm


Make symbolic link on ossec server and agent:

ln -s /etc/init.d/ossec-hids /usr/bin/


Edit ossec.conf, make sure fill this property base on your environment:


On the server:

[root@ossec ~]#vi /var/ossec/etc/ossec.conf
 <global>
   <email_notification>yes</email_notification>
   <email_to>root@localhost</email_to>
   <smtp_server>127.0.0.1</smtp_server>
   <email_from>ossec@asyx.com</email_from>
 </global>


On the agent:

[root@client ~]#vi /var/ossec/etc/ossec.conf
<client>
   <server-ip>192.168.0.2</server-ip>  # make sure this your ossec server IP.
</client>



Generate key for new agent:



Add agent on the ossec server

[root@ossec ~]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
  (Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
 Please provide the following:
  * A name for the new agent: client.ossec.net    
  * The IP Address of the new agent: 192.168.1.3 
  * An ID for the new agent[001]: 001
Agent information:
  ID:001
  Name:client.ossec.net
  IP Address:192.168.1.3
Confirm adding it?(y/n): y
Agent added.


Extract key for an agent

****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
  (Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents: 
  ID: 001, Name: client.ossec.net, IP: 192.168.1.3
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is: MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw==
** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager


On the ossec agent

[root@client ~]# /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v2.5.1 Agent manager.     *
* The following options are available: *
****************************************
  (I)mport key from the server (I).
  (Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit):  MDAxIGNsaWVudC5vc3NlYy5uZXQgMTkyLjE2OC4xLjMgZTIxN2E0MzU1Nzg2OWNmNTdhNTAxYzNlOGFjZTQ4ZTViMTU2MjhkY2ZjMjViYmYwYWMyMDI4OGViMGFhMDg3Nw==
Agent information:
  ID:001
  Name:client.ossec.net
  IP Address:192.168.1.3
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
press q button for quit from ossec Agent manager

note: Libprelude is the Prelude library. Prelude is a Universal "Security Information Management" (SIM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".