Add OSSEC agent to Security Onion
tested on: Security Onion 12.04 (as of 2013-03-29)
On system running Security Onion:
- if needed (check sudo ufw status): open port 1514 UDP:
sudo ufw allow proto udp from <ClientNet> to <SO-IP> port 1514
- add the agent and generate the key:
sudo /var/ossec/bin/manage_agents
- A for add an agent
- type the name, IP and agent ID
- confirm
- E for extract the key
- provide agent ID
- note down the key
On the client i.e. the to-be OSSEC agent:
- download agent from http://www.ossec.net/?page_id=19
- verify MD5 / SHA1 hash
- install:
- Windows: …
- Debian / Ubuntu:
- you need a C compiler on the system!
- extract tarball
- for 2.7 agents: patch installer, change line 372 of install.sh:
– if [[ “X${USER_AGENT_SERVER_IP}” = “X” && “X${USER_AGENT_SERVER_NAME}” = “X” ]]; then
+ if [ “X${USER_AGENT_SERVER_IP}” = “X” -a “X${USER_AGENT_SERVER_NAME}” = “X” ]; then - execute sudo ./install.sh
- choose language
- choose agent
- accept destination directory
- accept the default configuration options for now
- execute agent script: sudo /var/ossec/bin/manage_agents
- provide server IP and key (in the Windows program or agent CLI)
Finish and Verify:
- on SO restart OSSEC:
sudo service ossec-hids-server restart
- on SO verify OSSEC is listening (esp. when adding the first agent):
netstat -an | grep 1514 | grep ^udp udp 0 0 0.0.0.0:1514 0.0.0.0:*
- on client: (Windows) restart the agent on the client, verify the log says:
<date> ossec-agent(4102): INFO: Connected to the server (a.b.c.d)
- on OS: list the connected agents:
sudo /var/ossec/bin/list_agents -c <name>-<IP> is active.
Debug and Troubleshoot:
- events will show up in Sguil if the level is >= 5 (check alert log on OS, see below)
- test events: e.g. sudo to root using wrong password till sudo exits
- logs:
- OS:
- /var/ossec/logs/ossec.log
- /var/ossec/logs/alerts/alerts.log
- Windows client:
- C:\Program Files (x86)\ossec-agent\ossec.log
- Debian client:
- /var/ossec/logs//ossec.log
- OS:
- restart:
- OS:
- sudo /etc/init.d/ossec-hids-server restart
- Windows client:
- service snap in: “OOSEC HIDS”
- Debian client:
- sudo /etc/init.d/ossec restart
- OS:
- re-configure agent:
- delete agent on OS:
- sudo /var/ossec/bin/manage_agents
- R for remove agent
- create new agent, using different agent name on OS:
- sudo /var/ossec/bin/manage_agents
- A for add agent
- E for extract key
- configure agent on client:
- Windows: re-install
- Debian: sudo /var/ossec/bin/manage_agents, then I for import key
- delete agent on OS:
References:
- “Log Analysis using OSSEC” by Daniel B. Cid: http://ossec.net/ossec-docs/auscert-2007-dcid.pdf
- OSSEC Documentation – Manual – Agents: http://www.ossec.net/doc/manual/agent/
(and http://www.ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf) - Security Onion Firewall FAQ: http://code.google.com/p/security-onion/wiki/Firewall