{"id":1673,"date":"2018-12-10T22:43:07","date_gmt":"2018-12-10T19:43:07","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1673"},"modified":"2024-03-11T21:48:33","modified_gmt":"2024-03-11T18:48:33","slug":"how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/","title":{"rendered":"Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install and configure OSSEC agent on Ubuntu 18.04\/CentOS 7. OSSEC is an open source Intrusion Detection System (HIDS)&nbsp; that runs across multiple OS platforms such as Linux,Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX.<\/p>\n\n\n\n<p>It monitors all aspects of system activity such as;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>file integrity monitoring<\/li>\n\n\n\n<li>Windows registry monitoring<\/li>\n\n\n\n<li>log monitoring<\/li>\n\n\n\n<li>rootcheck<\/li>\n\n\n\n<li>process monitoring<\/li>\n<\/ul>\n\n\n\n<p>It can also be configured to notify on a suspicious activity via alert logs or email alerts. OSSEC can be integrated with SIEM solutions such as AlienVault. You can therefore have a look at our previous article on setting up AlienVault HIDs agent on a Linux system by following the link below;<\/p>\n\n\n\n<p><a title=\"How to Install and Configure AlienVault HIDs Agent on a Linux Host\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-ossec-agent-on-linux-host\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Install and Configure AlienVault HIDs Agent on a Linux Host<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-ossec-agent-on-ubuntu-18-04-cent-os-7\">Installing OSSEC agent on Ubuntu 18.04\/CentOS 7<\/a><ul><li><a href=\"#prerequisites\">Prerequisites<\/a><ul><li><a href=\"#install-prerequisites-on-ubuntu\">Install Prerequisites on Ubuntu<\/a><\/li><li><a href=\"#install-prerequisites-on-cent-os\">Install Prerequisites on CentOS<\/a><\/li><\/ul><\/li><li><a href=\"#download-ossec-agent-tarball\">Download OSSEC Agent Tarball<\/a><\/li><li><a href=\"#extract-ossec-source-code\">Extract OSSEC Source Code<\/a><\/li><li><a href=\"#install-ossec-agent-on-ubuntu-18-04-cent-os-7\">Install OSSEC Agent on Ubuntu 18.04\/CentOS 7<\/a><\/li><li><a href=\"#connect-the-agent-to-the-server\">Connect the Agent to the Server<\/a><\/li><li><a href=\"#start-the-ossec-agent\">Start the OSSEC Agent<\/a><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-ossec-agent-on-ubuntu-18-04-cent-os-7\">Installing OSSEC agent on Ubuntu 18.04\/CentOS 7<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h3>\n\n\n\n<p>To install OSSEC agent on a Ubuntu 18.04\/CentOS 7 or any other Linux\/Unix system, ensure that you have the C compiler as well as the make utility installed;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-prerequisites-on-ubuntu\">Install Prerequisites on Ubuntu<\/h4>\n\n\n\n<p>Run the command below to install required build tools;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install gcc make libevent-dev zlib1g-dev  libssl-dev libpcre2-dev wget tar -y<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-prerequisites-on-cent-os\">Install Prerequisites on CentOS<\/h4>\n\n\n\n<p>Run the command below to install required build tools;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install gcc make zlib-devel openssl-devel pcre2-devel wget tar -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"download-ossec-agent-tarball\">Download OSSEC Agent Tarball<\/h3>\n\n\n\n<p>OSSEC 3.7 is the latest stable release version as of this writing. Check the&nbsp;<a href=\"https:\/\/github.com\/ossec\/ossec-hids\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">releases page<\/a>&nbsp;for the latest releases.<\/p>\n\n\n\n<p>Replace the value of VER with the current release version of OSSEC agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.7.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VER}.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-ossec-source-code\">Extract OSSEC Source Code<\/h3>\n\n\n\n<p>Once the OSSEC source download is completed, extract it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf ${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ossec-agent-on-ubuntu-18-04-cent-os-7\">Install OSSEC Agent on Ubuntu 18.04\/CentOS 7<\/h3>\n\n\n\n<p>Navigate to the Agent source directory<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-${VER}\/<\/code><\/pre>\n\n\n\n<p>Launch the OSSEC agent installer;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>The installer will first prompts you to select the installation language, English by default,&nbsp; abbreviated as [en]. Press Enter to accept the default<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) <strong>[en]<\/strong>: ENTER<\/code><\/pre>\n\n\n\n<p>Again, press ENTER to continue.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-- Press ENTER to continue or Ctrl-C to abort. --<\/code><\/pre>\n\n\n\n<p>Specify the type of installation. In our case, we are installing ossec-hids&nbsp;<code>agent<\/code>, hence select agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? <strong>agent<\/strong>\n\n  - Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Choose the installation path. We go with the default,&nbsp;<code>\/var\/ossec<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS [\/var\/ossec]: <strong>ENTER<\/strong>\n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <strong>192.168.56.11<\/strong>                  \n\n   - Adding Server IP 192.168.56.11\n<\/code><\/pre>\n\n\n\n<p>Enable system integrity check<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.2- Do you want to run the integrity check daemon? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running syscheck (integrity check daemon).<\/code><\/pre>\n\n\n\n<p>Enable rootkit detection engine.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.4 - Do you want to enable active response? (y\/n) [y]: <strong>n<\/strong>\n\n   - Active response disabled.<\/code><\/pre>\n\n\n\n<p>The agent installer then displays the log files that are read by default. You can add more later on&nbsp;<code>ossec.conf<\/code>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.5- Setting the configuration to analyze the following logs:\n    -- \/var\/log\/messages\n    -- \/var\/log\/secure\n    -- \/var\/log\/maillog\n...<\/code><\/pre>\n\n\n\n<p>Once you are done defining the default options, proceed to install OSSEC agent on Ubuntu 20.04 by pressing ENTER.<\/p>\n\n\n\n<p>Once the agent is installed, you will see an output similar to;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n - System is Debian (Ubuntu or derivative).\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n\n<\/code><\/pre>\n\n\n\n<p>Press ENTER to close the installer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-the-agent-to-the-server\">Connect the Agent to the Server<\/h3>\n\n\n\n<p>Now that the agent is installed, run the following command to add the server-agent connection key. You can extract the Key for the specific host from the server. Enter option<strong> I<\/strong>, <strong>paste the key<\/strong> and<strong> confirm adding the key<\/strong>. Then type <strong>Q<\/strong> and <strong>press enter<\/strong> to exit.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><em>\/var\/ossec\/bin\/manage_agents<\/em><\/code><\/pre>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/manage-agent.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"700\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/manage-agent.png\" alt=\"Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7\" class=\"wp-image-1685\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/manage-agent.png 1400w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/manage-agent-768x384.png 768w\" sizes=\"(max-width: 1400px) 100vw, 1400px\" \/><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"start-the-ossec-agent\">Start the OSSEC Agent<\/h3>\n\n\n\n<p>Now that the server-agent key is installed, run the command below to start the OSSEC agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><em>\/var\/ossec\/bin\/ossec-control start<\/em><\/code><\/pre>\n\n\n\n<p>You can verify that the agent is communicating with the server by checking the ossec agent logs as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><em>tail \/var\/ossec\/logs\/ossec.log<\/em><\/code><\/pre>\n\n\n\n<p>You should be able to see a line stating that the agent has connected to the server. If that is not the case, check the firewall issues.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/server-agent_connection.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1394\" height=\"347\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/server-agent_connection.png\" alt=\"Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7\" class=\"wp-image-1689\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/server-agent_connection.png 1394w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/12\/server-agent_connection-768x191.png 768w\" sizes=\"(max-width: 1394px) 100vw, 1394px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>That is all. You have successfully installed OSSEC agent on Ubuntu 18.04\/CentOS 7.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-agent-on-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Agent on pfSense<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-changes-to-critical-files-on-windows-systems-using-wazuh-and-elk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install and configure OSSEC agent on Ubuntu 18.04\/CentOS 7. OSSEC is an open source Intrusion<\/p>\n","protected":false},"author":1,"featured_media":16886,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,273],"tags":[6803,6802,6801,118,117,6804],"class_list":["post-1673","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-ossec","tag-centos-7-ossec-hids-agent","tag-install-ossec-agent-on-centos-7","tag-install-ossec-agent-on-ubuntu-18-04","tag-ossec-agent","tag-ossec-hids","tag-ubuntu-ossec-hids-agent","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1673"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1673"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1673\/revisions"}],"predecessor-version":[{"id":21081,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1673\/revisions\/21081"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16886"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}