{"id":3750,"date":"2019-07-23T22:58:28","date_gmt":"2019-07-23T19:58:28","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3750"},"modified":"2024-03-12T07:32:18","modified_gmt":"2024-03-12T04:32:18","slug":"install-ossec-agent-on-debian-10-buster","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-ossec-agent-on-debian-10-buster\/","title":{"rendered":"Install OSSEC Agent on Debian 10 Buster"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to install <a rel=\"noreferrer noopener\" aria-label=\"OSSEC (opens in a new tab)\" href=\"https:\/\/www.ossec.net\/docs\/\" target=\"_blank\">OSSEC<\/a> Agent on Debian 10 Buster. OSSEC is an open source host intrusion detection system (HIDS) that can be used to performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.<\/p>\n\n\n\n<p>OSSEC is build upon server-agent model. This means that to monitor systems using an OSSEC, you need some OSSEC server, and an agent installed on the servers to monitor. However, you can as well be able to do the monitoring via agentless monitoring, which in this case you do not need install any agents on the endpoint you are monitoring.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-ossec-agent-on-debian-10-buster\">Installing OSSEC Agent on Debian 10 Buster<\/a><ul><li><a href=\"#install-required-dependencies\">Install Required Dependencies<\/a><\/li><li><a href=\"#download-latest-ossec-source-code\">Download Latest OSSEC Source Code<\/a><\/li><li><a href=\"#extract-ossec-source-code\">Extract OSSEC Source Code<\/a><\/li><li><a href=\"#install-ossec-hids-agent-on-debian-10\">Install OSSEC HIDS Agent on Debian 10<\/a><\/li><li><a href=\"#connect-the-ossec-agent-to-ossec-server\">Connect the OSSEC Agent to OSSEC Server<\/a><\/li><li><a href=\"#running-ossec-agent\">Running OSSEC Agent<\/a><\/li><li><a href=\"#related-guides\">Related Guides;<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-ossec-agent-on-debian-10-buster\">Installing OSSEC Agent on Debian 10 Buster<\/h2>\n\n\n\n<p>To begin with, run system update.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-required-dependencies\">Install Required Dependencies<\/h3>\n\n\n\n<p>A successful build and installation of OSSEC HIDS agent on Debian 10 from the source requires quite a number of dependencies to be installed on the system. Run the command below to install these dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install gcc make libevent-dev zlib1g-dev  libssl-dev libpcre2-dev wget tar inotify-tools -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"download-latest-ossec-source-code\">Download Latest OSSEC Source Code<\/h3>\n\n\n\n<p>OSSEC 3.7 is the latest stable release version as of this writing. Check the&nbsp;<a href=\"https:\/\/github.com\/ossec\/ossec-hids\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">releases page<\/a>&nbsp;for the latest releases.<\/p>\n\n\n\n<p>Replace the value of VER with the current release version of OSSEC agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.7.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VER}.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-ossec-source-code\">Extract OSSEC Source Code<\/h3>\n\n\n\n<p>Once the OSSEC source download is completed, extract it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf ${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ossec-hids-agent-on-debian-10\">Install OSSEC HIDS Agent on Debian 10<\/h3>\n\n\n\n<p>To install OSSEC agent, navigate to the source code directory and run the installation script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-${VER}\/<\/code><\/pre>\n\n\n\n<p>Execute the installation group;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>Select you installation language. In this case, we choose the default install language, English.<\/p>\n\n\n\n<p>Press ENTER to choose default installation options or select your language from the list.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: <strong>ENTER<\/strong><\/code><\/pre>\n\n\n\n<p>Again, press ENTER to continue.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-- Press ENTER to continue or Ctrl-C to abort. --<\/code><\/pre>\n\n\n\n<p>Specify the type of installation. In our case, we are installing ossec-hids&nbsp;<code>agent<\/code>, hence select agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? <strong>agent<\/strong>\n\n  - Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Choose the installation path. We go with the default,&nbsp;<code>\/var\/ossec<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS [\/var\/ossec]: <strong>ENTER<\/strong>\n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <strong>192.168.56.11<\/strong>                  \n\n   - Adding Server IP 192.168.56.11\n<\/code><\/pre>\n\n\n\n<p>Enable system integrity check<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.2- Do you want to run the integrity check daemon? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running syscheck (integrity check daemon).<\/code><\/pre>\n\n\n\n<p>Enable rootkit detection engine.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.4 - Do you want to enable active response? (y\/n) [y]: <strong>n<\/strong>\n\n   - Active response disabled.<\/code><\/pre>\n\n\n\n<p>The agent installer then displays the log files that are read by default. You can add more later on&nbsp;<code>ossec.conf<\/code>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.5- Setting the configuration to analyze the following logs:\n    -- \/var\/log\/messages\n    -- \/var\/log\/secure\n    -- \/var\/log\/maillog\n...<\/code><\/pre>\n\n\n\n<p>Once you are done defining the default options, proceed to install OSSEC agent on Debian 10 by pressing ENTER.<\/p>\n\n\n\n<p>Once the agent is installed, you will see an output similar to;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n - System is Debian (Ubuntu or derivative).\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n\n<\/code><\/pre>\n\n\n\n<p>Press ENTER to close the installer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-the-ossec-agent-to-ossec-server\">Connect the OSSEC Agent to OSSEC Server<\/h3>\n\n\n\n<p>For the agent to communicate with the server;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can need to first add it to the HIDS server, in our case we used AlienVault OSSIM.<\/li>\n\n\n\n<li>After that extract the agent authentication key from the server.<\/li>\n<\/ul>\n\n\n\n<p>Once you have extracted the key, Import the key on the agent by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Enter option<strong>&nbsp;I<\/strong>,&nbsp;<strong>paste the key<\/strong>&nbsp;and<strong>&nbsp;confirm adding the key<\/strong>. Then type&nbsp;<strong>Q<\/strong>&nbsp;and&nbsp;<strong>press enter<\/strong>&nbsp;to exit.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager.     *\n* The following options are available: *\n****************************************\n   (I)mport key from the server (I).\n   (Q)uit.\n<strong>Choose your action: I or Q: I\n<\/strong>\n* Provide the Key generated by the server.\n* The best approach is to cut and paste it.\n*** OBS: Do not include spaces or new lines.\n\n<strong>Paste it here (or '\\q' to quit): NSttstGSTsgspsgsjshsYmV5a2ktb3Blbnzk999383nndZwbiAxMC43LjMuNTggMWQyNzBjZTZlNzI2OGI2MWUzOWQ4NTg4YjgwM2ZjNDhhZWY2OTQxZTU2OWE2M2U3MjQ1N2Y1w==<\/strong>\n\nAgent information:\n   ID:10\n   Name:koromicha\n   IP Address:192.168.43.17\n\n<strong>Confirm adding it?(y\/n): y<\/strong>\n2023\/05\/30 18:05:57 manage_agents: ERROR: Cannot unlink \/queue\/rids\/sender: No such file or directory\nAdded.\n** Press ENTER to return to the main menu.\n\n\n\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager.     *\n* The following options are available: *\n****************************************\n   (I)mport key from the server (I).\n   (Q)uit.\n<strong>Choose your action: I or Q: q<\/strong>\n\n** You must restart OSSEC for your changes to take effect.\n\nmanage_agents: Exiting.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-ossec-agent\">Running OSSEC Agent<\/h3>\n\n\n\n<p>Once the installation completes, the installer displays how to run OSSEC agent.<\/p>\n\n\n\n<p>To start the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start ossec<\/code><\/pre>\n\n\n\n<p>To stop the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control stop<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop ossec<\/code><\/pre>\n\n\n\n<p>Other unit service control commands;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control {start|stop|reload|restart|status}<\/code><\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control status<\/code><\/pre>\n\n\n\n<p>Check the logs to see if the agent has connected to the server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/ossec\/logs\/ossec.log<\/code><\/pre>\n\n\n\n<p>You have successfully installed OSSEC agent on Debian 10 Buster.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-guides\">Related Guides;<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-alienvault-ossim-5-5-on-virtualbox\/\" target=\"_blank\">How to install and configure AlienVault OSSIM 5.5 on VirtualBox<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-alienvault-hids-agent-on-a-windows-host\/\" target=\"_blank\">How to Install and Setup AlienVault HIDS Agent on a Windows Host<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/nagios-snmp-monitoring-of-linux-hosts-on-alienvault-usm-ossim\/\" target=\"_blank\">Nagios SNMP Monitoring of Linux Hosts on AlienVault USM\/OSSIM<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-mac-os-x\/\">How to Install OSSEC Agent on Mac OS<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-solaris-11-4\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">How to Install OSSEC Agent on Solaris 11.4<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to install OSSEC Agent on Debian 10 Buster. OSSEC is an open source host intrusion detection<\/p>\n","protected":false},"author":1,"featured_media":16886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,273],"tags":[1039,6808,275,118,117,6809],"class_list":["post-3750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-ossec","tag-debian-10-buster","tag-install-ossec-agent-on-debian-10-buster","tag-ossec","tag-ossec-agent","tag-ossec-hids","tag-ossec-hids-debian","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3750"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3750"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3750\/revisions"}],"predecessor-version":[{"id":21170,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3750\/revisions\/21170"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16886"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}