003. OSSEC Client Installation on Windows

OS: Windows XP SP3, Windows 7 i386
OSSEC Version: 2.6
Hardware: Virtual Machine (VirtualBox 4.1.8)

About

OSSEC is an opensource Host Intrustion Detection System (HIDS). OSSEC let you monitor log files, integrity of files and detects root kits in a client-server environment.

Prerequisite

OSSEC Client Installation

  • Run the downloaded exe file
    1. Welcome to OSSEC HIDS Windows Agent v2.6 Setup Wizard – Click Next
    2. License Agreement – Read the license agreement and if you agree click on I agree
    3. Coose Components – If you are not running IIS, click to remove the mark on “Scan and monitor IIS logs” and click Next
    4. Coose Install Location – Click Install
    5. Completing the OSSEC HIDS Windows Agent v2.6 Setup Wizard – check that “Run OSSEC Agent Manager” is marked and click Finish
  • On the OSSEC server run manage_agents tool to add a new client
/var/ossec/bin/manage_agents
Choose A to add an agent: A -> Enter
provide a name for your new agent: winxp-2 -> Enter
provide the IP of your new agent: x.x.x.x -> Enter
Provide an OSSEC ID for your new agent: 002 -> Enter
Confirm adding it?: y -> Enter
Choose E to extract key for an agent: E -> Enter
Provide the ID of the new agent: 002 -> Enter
Copy the agent key information
press ENTER to return to the main manu
Choose Q -> Enter to quit
  • On the OSSEC windows client run manage_agent tool if it’s not already running and configure your new client installation
    1. Start -> All Programs -> OSSEC -> Manage Agents
    2. OSSEC Agent Manager – Fill your “OSSEC server IP”, and the “Authentication Key” that was copied from the server. Click save
    3. Confirm Importing Key – Click OK
    4. OSSEC Agent Manager – Click on Manage -> Start OSSEC
    5. Close OSSEC Agent Manager

That’s it. OSSEC client installation completed. You can browse to http://ossec_srv_IP/ossec and see messages from your new OSSEC client.

To Install OSSEC client on Linux use the following guides:

  • OSSEC Client Installation on CentOS

002. OSSEC Client Installation on CentOS 5.6 i386

OS: CentOS 5.6 32bit
OSSEC Version: 2.6
Hardware: Virtual Machine (VMware Server 2.0.0.2712)

About

OSSEC is an opensource Host Intrustion Detection System (HIDS). OSSEC let you monitor log files, integrity of files and detects root kits in a client-server environment.

Prerequisite

OSSEC Client Installation

  • Install atomic repository on your system
wget -q -O - https://www.atomicorp.com/installers/atomic | sh
Press Enter to accept the terms
  • Install OSSEC packages
yum install ossec-hids ossec-hids-client -y
  • On the OSSEC server run manage_agents tool to add a new client
/var/ossec/bin/manage_agents
Choose A to add an agent: A -> Enter
provide a name for your new agent: centos-1 -> Enter
provide the IP of your new agent: x.x.x.x -> Enter
Provide an OSSEC ID for your new agent: 001 -> Enter
Confirm adding it?: y -> Enter
Choose E to extract key for an agent: E -> Enter
Provide the ID of the new agent: 001 -> Enter
Copy the agent key information
press ENTER to return to the main manu
Choose Q to quit
  • On the OSSEC client run manage_agent tool to configure the new client
/var/ossec/bin/manage_client
Choose I to Import key from the server: I -> Enter
Paster the the already copied agent ket: paste -> Enter
confirm adding it: y -> Enter
Press Enter to return to the main manu: -> Enter
Choose Q to Quit
  • Start OSSEC
service ossec-hids start

That’s it. OSSEC client installation completed. You can browse to http://ossec_srv_IP/ossec and see messages from your new OSSEC client.

To Install OSSEC client on windows use the following guide

  • OSSEC Client Installation on windows

001. OSSEC Server Installation on CentOS

OS: CentOS 5.6 i386, CentOS 6.2 i386
Ossec Version: 2.6
Hardware: Virtual Machine (VirtualBox 4.1.14)

About

OSSEC is an opensource Host Intrustion Detection System (HIDS). OSSEC let you monitor log files, integrity of files and detects root kits in a client-server environment.

OSSEC Server Installation

  • Install wget and update your system
yum install wget -y
yum update -y
reboot
  • If you are using CentOS 6 install EPEL repository
rpm -Uvh http://ftp.heanet.ie/pub/fedora/epel/6/i386/epel-release-6-7.noarch.rpm
  • Install atomic repository on your system
wget -q -O - https://www.atomicorp.com/installers/atomic | sh
Press Enter to accept the terms
  • Install OSSEC packages and apache for the WUI
yum install ossec-hids ossec-hids-server httpd php -y
  • Download and extract ossec-wui
cd /var/www/html
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
tar zxvf ossec-wui-*.tar.gz
rm -f ossec-wui-*.tar.gz
mv ossec-wui-* ossec-wui 
chown -R apache:apache /var/www/html/ossec-wui
  • Download and install ossec-wui patches
mkdir /usr/local/src/ossec
cd /usr/local/src/ossec
wget http://www.dopefish.de/files/ossec/ossec-wui-0.3_ossec_2.6.patch.tgz
cd /var/www/html/ossec-wui
tar zxvf /usr/local/src/ossec/ossec-wui-0.3_ossec_2.6.patch.tgz
mkdir /var/www/html/ossec-wui/tmp
chown apache:apache /var/www/html/ossec-wui/tmp
  • Edit ossec configuration file and configure emails parameters in the global section and change the location of apache log files in the end of ossec.conf file
vi /var/ossec/etc/ossec.conf
...
  <global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <smtp_server>smtp.xxx.com.</smtp_server>
    <email_from>[email protected]</email_from>
  </global>
...
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/access_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/error_log</location>
  </localfile>
  • Add apache user to ossec group
usermod -G ossec apache
  • Configure OSSEC to run at startup and start it
chkconfig ossec-hids on
service ossec-hids start
  • Configure apache to run at startup and start it
chkconfig httpd on
service httpd start

That’s it. Ossec server installation completed. You can browse to http://ossec_srv_IP/ossec-wui. The default user and password are: ossec/ossec.

After completing the server installation you can install new clients using these guides: