{"id":2081,"date":"2019-01-24T23:38:35","date_gmt":"2019-01-24T20:38:35","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2081"},"modified":"2024-03-11T22:01:29","modified_gmt":"2024-03-11T19:01:29","slug":"how-to-install-ossec-agent-on-mac-os-x","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-mac-os-x\/","title":{"rendered":"How to Install OSSEC Agent on Mac OS"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install OSSEC agent on Mac OS X.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-ossec-agent-on-mac-os-x\">Installing OSSEC Agent on Mac OS X<\/a><ul><li><a href=\"#check-if-gcc-compile-is-available\">Check if GCC Compile is Available<\/a><\/li><li><a href=\"#download-ossec-agent-tarball\">Download OSSEC Agent Tarball<\/a><\/li><li><a href=\"#extract-ossec-agent-tarball\">Extract OSSEC Agent Tarball<\/a><\/li><li><a href=\"#install-ossec-agent-on-mac-os\">Install OSSEC Agent on Mac OS<\/a><\/li><li><a href=\"#connect-ossec-agent-to-ossec-server\">Connect OSSEC Agent to OSSEC Server<\/a><\/li><li><a href=\"#start-ossec-agent-on-mac-os\">Start OSSEC Agent on Mac OS<\/a><\/li><li><a href=\"#configure-ossec-agent-to-run-on-system-boot\">Configure OSSEC Agent to Run on System Boot<\/a><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-ossec-agent-on-mac-os-x\">Installing OSSEC Agent on Mac OS X<\/h2>\n\n\n\n<p>Well as usual, we are going to install OSSEC agent on Mac OS X from the source code. As a result ensure that you have C compiler (gcc) installed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"check-if-gcc-compile-is-available\">Check if GCC Compile is Available<\/h3>\n\n\n\n<p>To verify that the the GNU Compiler collection is installed, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which gcc<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/bin\/gcc<\/code><\/pre>\n\n\n\n<p>If, however, you are prompted to install the developer tools during OSSEC agent installation, please do install and proceed with installation.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"462\" height=\"191\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/01\/install-developer-tools.png\" alt=\"install OSSEC agent on Mac OS\" class=\"wp-image-3067\" title=\"\"><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"download-ossec-agent-tarball\">Download OSSEC Agent Tarball<\/h3>\n\n\n\n<p>Next, download OSSEC agent for Unix from the <a href=\"https:\/\/www.ossec.net\/download-ossec\/\" target=\"_blank\" rel=\"noreferrer noopener\">downloads page<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/3.7.0.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-ossec-agent-tarball\">Extract OSSEC Agent Tarball<\/h3>\n\n\n\n<p>Once the download completes, extract the source archive.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf 3.7.0.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ossec-agent-on-mac-os\">Install OSSEC Agent on Mac OS<\/h3>\n\n\n\n<p>Navigate to extracted source directory and run the OSSEC install script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-3.7.0\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>When the install script runs, you will be prompted to choose the installation language. In this case, English is chosen.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: \nen<\/code><\/pre>\n\n\n\n<p>Press Enter again to proceed with the installation. Choose <code>agent<\/code> as the type of installation.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? \nagent\n\n- Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Select <code>\/var\/ossec<\/code> as the installation directory for OSSEC.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2- Setting up the installation environment.\n\n- Choose where to install the OSSEC HIDS [\/var\/ossec]:\n\n- Installation will be made at \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Set the IP address of the OSSEC server. This can be OSSEC server itself or the AlienVault.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n3.1- What's the IP Address or hostname of the OSSEC HIDS server?:\n192.168.43.22\n\n- Adding Server IP 192.168.43.22<\/code><\/pre>\n\n\n\n<p>Enable system integrity check.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3.2- Do you want to run the integrity check daemon? (y\/n) [y]:\ny\n\n- Running syscheck (integrity check daemon).<\/code><\/pre>\n\n\n\n<p>Enable Rootkit detection.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3.3- Do you want to run the rootkit detection engine? (y\/n) [y]:\ny\n\n- Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3.4 - Do you want to enable active response? (y\/n) [y]:\nn\n\n- Active response disabled.<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3.5- Setting the configuration to analyze the following logs:\n-- \/var\/log\/system.log\n\n- If you want to monitor any other file, just change\nthe ossec.conf and add a new localfile entry.\nAny questions about the configuration can be answered\nby visiting us online at http:\/\/www.ossec.net .\n\n--- Press ENTER to continue ---<\/code><\/pre>\n\n\n\n<p>If the installation is successful, you should the output stating that configuration finished properly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n- Configuration finished properly.\n\n- To start OSSEC HIDS:\n\/var\/ossec\/bin\/ossec-control start\n\n- To stop OSSEC HIDS:\n\/var\/ossec\/bin\/ossec-control stop\n\n- The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\nThanks for using the OSSEC HIDS.\nIf you have any question, suggestion or if you find any bug,\ncontact us at contact@ossec.net or using our public maillist at\nossec-list@ossec.net\n( http:\/\/www.ossec.net\/main\/support\/ ).\n\nMore information can be found at http:\/\/www.ossec.net\n\n--- Press ENTER to finish (maybe more information below). ---\n\n- You first need to add this agent to the server so they\ncan communicate with each other. When you have done so,\nyou can run the 'manage_agents' tool to import the\nauthentication key from the server.\n\n\/var\/ossec\/bin\/manage_agents\n\nMore information at:\nhttp:\/\/www.ossec.net\/en\/manual.html#ma\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-ossec-agent-to-ossec-server\">Connect OSSEC Agent to OSSEC Server<\/h3>\n\n\n\n<p>Once the installation is done, add the agent to the server to ensure that they can communicate. After that extract the agent-server key and import. Run the command below to install the key on the agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Press I to import the key. Paste the key and press Enter to add it.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager. *\n* The following options are available: *\n****************************************\n(I)mport key from the server (I).\n(Q)uit.\nChoose your action: I or Q: <strong>I<\/strong>\n\n* Provide the Key generated by the server.\n* The best approach is to cut and paste it.\n*** OBS: Do not include spaces or new lines.\n\nPaste it here (or '\\q' to quit): <strong>OTYgbHVhbmRtaSAxOTIuMTY4LjM1LjEwOCA2NzA4N2ZmNjhiZDhjZGQ3NjgwMjlhODA0ZmNjMzQyOTUyODE0YTM1NTdhNjRkOWIxNGFhNDljYTJhOTJhNzhh<\/strong>\n<\/code><\/pre>\n\n\n\n<p>If all is well, you should be able to see the details of the agent as is on the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Agent information:\nID:96\nName:macosx\nIP Address:192.168.43.108<\/code><\/pre>\n\n\n\n<p>Type y and Press Enter to confirm adding the key.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nConfirm adding it?(y\/n): y\nAdded.\n** Press ENTER to return to the main menu.\n\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager. *\n* The following options are available: *\n****************************************\n(I)mport key from the server (I).\n(Q)uit.\nChoose your action: I or Q: q\n\n** You must restart OSSEC for your changes to take effect.\n\nmanage_agents: Exiting.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"start-ossec-agent-on-mac-os\">Start OSSEC Agent on Mac OS<\/h3>\n\n\n\n<p>Next start OSSEC agent service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Starting OSSEC HIDS v3.7.0...\nStarted ossec-execd...\n2023\/05\/30 17:00:57 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800\nStarted ossec-agentd...\nStarted ossec-logcollector...\nStarted ossec-syscheckd...\nCompleted.<\/code><\/pre>\n\n\n\n<p>To verify that the agent has started and connected to the server, tail the OSSEC agent logs. You should be able to see a line stating that the agent is connected to the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/ossec\/logs\/ossec.log | grep -i connected<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2023\/05\/23 17:06:58 INFO: Connected to 192.168.43.22 at address 192.168.43.22, port 1514\n2023\/05\/23 17:23:54 INFO: Connected to 192.168.43.22 at address 192.168.43.22, port 1514<\/code><\/pre>\n\n\n\n<p>That is all.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-ossec-agent-to-run-on-system-boot\">Configure OSSEC Agent to Run on System Boot<\/h3>\n\n\n\n<p>Now to ensure that the service runs in case the system reboots, create a start up service as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/Library\/LaunchDaemons\/autostartossec.plist<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?>\n&lt;!DOCTYPE plist PUBLIC \"-\/\/Apple\/\/DTD PLIST 1.0\/\/EN\" \"http:\/\/www.apple.com\/DTDs\/PropertyList-1.0.dtd\">\n&lt;plist version=\"1.0\">\n&lt;dict>\n&lt;key>Label&lt;\/key>\n&lt;string>autostartossec&lt;\/string>\n&lt;key>ProgramArguments&lt;\/key>\n&lt;array>\n&lt;string><strong>\/Users\/kifarunix\/myscripts\/autostartossec.sh<\/strong>&lt;\/string>\n&lt;\/array>\n&lt;key>RunAtLoad&lt;\/key>\n&lt;true\/>\n&lt;key>StandardErrorPath&lt;\/key>\n&lt;string>\/var\/ossec\/logs\/ossec.err&lt;\/string>\n&lt;key>StandardOutPath&lt;\/key>\n&lt;string>\/var\/ossec\/logs\/ossec.out&lt;\/string>\n&lt;\/dict>\n&lt;\/plist>\n<\/code><\/pre>\n\n\n\n<p>The lauch daemon is created. Next create the service startup script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/Users\/kifarunix\/myscripts\/autostartossec.sh<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>#!\/bin\/sh\n\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<p>Make the script executable.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod u+x \/Users\/kifarunix\/myscripts\/autostartossec.sh<\/code><\/pre>\n\n\n\n<p>To test if this works, reboot the system and check the status of OSSEC agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control status<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ossec-logcollector is running...\nossec-syscheckd is running...\nossec-agentd is running...\nossec-execd not running...<\/code><\/pre>\n\n\n\n<p>The service should now running. Great and congratulations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h2>\n\n\n\n<p> We have covered similar setups in our other guides. You can check them by following the links below;<\/p>\n\n\n\n<p><a title=\"How to Install OSSEC Agent on Solaris 11.4\" href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-solaris-11-4\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Install OSSEC Agent on Solaris 11.4<\/a><\/p>\n\n\n\n<p><a title=\"How to Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7\" href=\"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7<\/a><\/p>\n\n\n\n<p><a title=\"How to Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7\" href=\"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Install and Setup AlienVault HIDS Agent on a Windows Host<\/a><\/p>\n\n\n\n<p><a title=\"How to Install and Configure AlienVault HIDs Agent on a Linux Host\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-ossec-agent-on-linux-host\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Install and Configure AlienVault HIDs Agent on a Linux Host<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install OSSEC agent on Mac OS X. Installing OSSEC Agent on Mac OS X Well<\/p>\n","protected":false},"author":1,"featured_media":16886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,72,273],"tags":[6806,6805,6807,117,308],"class_list":["post-2081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-monitoring","category-ossec","tag-mac-os-ossec-agent","tag-ossec-agent-installation-on-linux","tag-ossec-agent-mac-os","tag-ossec-hids","tag-security","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2081"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2081"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2081\/revisions"}],"predecessor-version":[{"id":21090,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2081\/revisions\/21090"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16886"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}