{"id":585,"date":"2018-09-03T04:11:17","date_gmt":"2018-09-03T01:11:17","guid":{"rendered":"http:\/\/kifarunix.com\/?p=585"},"modified":"2024-03-11T19:46:42","modified_gmt":"2024-03-11T16:46:42","slug":"how-to-install-and-configure-ossec-agent-on-linux-host","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-and-configure-ossec-agent-on-linux-host\/","title":{"rendered":"How to Install and Configure AlienVault HIDs Agent on a Linux Host"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1064\" height=\"594\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-hids-agent-linux.png\" alt=\"Install and Configure AlienVault HIDs Agent on a Linux Host\" class=\"wp-image-16605\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-hids-agent-linux.png?v=1684011689 1064w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-hids-agent-linux-768x429.png?v=1684011689 768w\" sizes=\"(max-width: 1064px) 100vw, 1064px\" \/><\/figure>\n\n\n\n<p>In this tutorial, we are going to learn how to install and configure AlienVault HIDS agent on a Linux host. <a href=\"https:\/\/cybersecurity.att.com\/products\/ossim\" target=\"_blank\" rel=\"noreferrer noopener\">AlienVault<\/a> uses OSSEC HIDS agents for Host Intrusion Detection. To actively monitor all aspects of system activity; file integrity monitoring, log monitoring, rootcheck, and process monitoring, OSSEC agents that collect all these information and reports back to the server via encrypted message protocol needs to be installed.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#install-alien-vault-hi-ds-agent-on-a-linux-host\">Install AlienVault HIDs Agent on a Linux Host<\/a><ul><li><a href=\"#import-or-add-hosts-into-alien-vault-ossim\">Import or Add Hosts into AlienVault OSSIM<\/a><\/li><li><a href=\"#add-hids-agent-to-ossim-server\">Add HIDS Agent to OSSIM Server<\/a><\/li><li><a href=\"#install-ossec-hids-agent-on-a-linux-host\">Install OSSEC HIDS agent on a Linux Host<\/a><ul><li><a href=\"#install-required-packages\">Install Required Packages<\/a><\/li><li><a href=\"#download-ossec-hids-installer-archive\">Download OSSEC HIDS Installer Archive<\/a><\/li><li><a href=\"#extract-and-install-ossec-hids-agent-on-linux\">Extract and Install OSSEC HIDS agent on Linux<\/a><\/li><li><a href=\"#extract-agent-registration-key-from-ossim-server\">Extract Agent Registration Key from OSSIM Server<\/a><\/li><li><a href=\"#import-and-connect-hids-agent-into-ossim-server\">Import and Connect HIDS agent into OSSIM Server<\/a><\/li><li><a href=\"#start-hids-agent\">Start HIDS Agent<\/a><\/li><\/ul><\/li><li><a href=\"#restart-ossim-server-ossec-hids\">Restart OSSIM Server OSSEC HIDS<\/a><\/li><li><a href=\"#verify-agent-status-on-ossim-server\">Verify Agent Status on OSSIM Server<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-alien-vault-hi-ds-agent-on-a-linux-host\">Install AlienVault HIDs Agent on a Linux Host<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"import-or-add-hosts-into-alien-vault-ossim\">Import or Add Hosts into AlienVault OSSIM<\/h3>\n\n\n\n<p>Before you can monitor any host, you need to import the hosts to AlienVault OSSIM server.  Check the guide below to learn how to import the assets using CSV file.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-add-assets-to-alienvault-ossim-server-for-monitoring\/\" target=\"_blank\" rel=\"noreferrer noopener\">Import Assets to AlienVault USM\/OSSIM using a CSV file<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-hids-agent-to-ossim-server\">Add HIDS Agent to OSSIM Server<\/h3>\n\n\n\n<p>Once the host is imported, add the HIDS agent for every host to OSSIM server as described below;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"ApplianceProduct\">Login to OSSIM server web dashboard and navigate to <strong><span class=\"UI\">Environment &gt; Detection<\/span><\/strong>.<\/span><\/li>\n\n\n\n<li><span class=\"ApplianceProduct\">Under Detection, navigate to <strong><span class=\"UI\">HIDS &gt; Agents &gt; Agent Control &gt; Add Agent<\/span><\/strong>.<\/span><\/li>\n\n\n\n<li><span class=\"ApplianceProduct\">When you click on ADD AGENTS, a <strong>NEW HIDS AGENT<\/strong> windows opens up.<\/span><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"580\" src=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/new-hids-agent-1.png\" alt=\"Install and Configure AlienVault HIDs Agent on a Linux Host\" class=\"wp-image-588\" title=\"\"><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"ApplianceProduct\">Enter the hostname\/IP address of the host on search bar or select it from asset tree.<\/span><\/li>\n\n\n\n<li><span class=\"ApplianceProduct\">When you select a host, the Agent Name and IP address fields are populated automatically.<\/span><span class=\"ApplianceProduct\"><\/span><\/li>\n\n\n\n<li><span class=\"ApplianceProduct\">Click <strong>Save<\/strong> to save the agent information.<\/span><\/li>\n\n\n\n<li><span class=\"ApplianceProduct\">Once the agent is added, you can see the Agent Information. For instance the agent we just added is the first one and has an ID of 001.<\/span><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1447\" height=\"559\" src=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/agent-info.png\" alt=\"\" class=\"wp-image-589\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/agent-info.png 1447w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/agent-info-768x297.png 768w\" sizes=\"(max-width: 1447px) 100vw, 1447px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ossec-hids-agent-on-a-linux-host\">Install OSSEC HIDS agent on a Linux Host<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-packages\">Install Required Packages<\/h4>\n\n\n\n<p>On CentOS and similar derivatives, run the command below to install required OSSEC HIDS agent build tools;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install gcc make libevent-devel zlib-devel openssl-devel pcre2-devel wget systemd-devel tar -y<\/code><\/pre>\n\n\n\n<p>On Ubuntu\/Debian systems;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install gcc make libevent-dev zlib1g-dev  libssl-dev libpcre2-dev wget tar libsystemd-dev -y<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-ossec-hids-installer-archive\">Download OSSEC HIDS Installer Archive<\/h4>\n\n\n\n<p>Login to your Linux host and download the latest OSSEC HIDS agent installer from <a href=\"https:\/\/github.com\/ossec\/ossec-hids\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> and extract it as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/3.7.0.tar.gz -P \/tmp\/<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-and-install-ossec-hids-agent-on-linux\">Extract and Install OSSEC HIDS agent on Linux<\/h4>\n\n\n\n<p>Extract the OSSEC HIDS archive;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/tmp\/\ntar xzf 3.7.0.tar.gz<\/code><\/pre>\n\n\n\n<p>Once you have extracted, Navigate to extracted agent directory and execute the installation script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-3.7.0\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>When the installation launches, you will be prompted to provide some input. In most of those cases, just press <strong>ENTER<\/strong> to accept the default values.<\/p>\n\n\n\n<p>The first prompts asks you to select the installation language which by default is English&nbsp; abbreviated as [en]. Press Enter to accept the default.<\/p>\n\n\n\n<p>The next prompt asks you verify the type of installation for which in our case, we are installing ossec-hids <strong>agent<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? <strong>agent<\/strong><\/code><\/pre>\n\n\n\n<p>Once you chose the type of installation, press enter to continue. For the next prompt, chose \/var\/ossec as the installation environment.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS &#91;\/var\/ossec]: <strong>ENTER<\/strong>\n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Next, enter the IP address of the server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.43.101\n\n   - Adding Server IP 192.168.43.101<\/code><\/pre>\n\n\n\n<p>For the next prompts, press ENTER to accept defaults. You may need to dsiable Active Response for now;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n  3.2- Do you want to run the integrity check daemon? (y\/n) [y]: y\n\n   - Running syscheck (integrity check daemon).\n\n  3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: y\n\n   - Running rootcheck (rootkit detection).\n\n  3.4 - Do you want to enable active response? (y\/n) [y]: n\n\n   - Active response disabled.\n\n  3.5- Setting the configuration to analyze the following logs:\n    -- \/var\/log\/messages\n    -- \/var\/log\/secure\n    -- \/var\/log\/maillog\n\n - If you want to monitor any other file, just change \n   the ossec.conf and add a new localfile entry.\n   Any questions about the configuration can be answered\n   by visiting us online at http:\/\/www.ossec.net .\n   \n   \n   --- Press ENTER to continue ---\n<\/code><\/pre>\n\n\n\n<p>If installation is successful, you should get this output:<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n - System is Redhat Linux.\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n    \n\n\n - You first need to add this agent to the server so they \n   can communicate with each other. When you have done so,\n   you can run the 'manage_agents' tool to import the \n   authentication key from the server.\n   \n   \/var\/ossec\/bin\/manage_agents\n\n   More information at: \n   http:\/\/www.ossec.net\/docs\/docs\/programs\/manage_agents.html\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-agent-registration-key-from-ossim-server\">Extract Agent Registration Key from OSSIM Server<\/h4>\n\n\n\n<p>Once the agent is installed, you need to Import the key for the agent from the server. <\/p>\n\n\n\n<p>Login to server web dashboard and navigate to <strong>Environment<\/strong> &gt; <strong>Detection<\/strong> &gt; <strong>HIDS<\/strong> &gt; <strong>Agent<\/strong> and extract the key of specific agent by clicking on the key button, and copy the key.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"import-and-connect-hids-agent-into-ossim-server\">Import and Connect HIDS agent into OSSIM Server<\/h4>\n\n\n\n<p>On the host, run the following command to import the key, enter option I, paste the key and confirm adding the key. Then enter Q to exit.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager. *\n* The following options are available: *\n****************************************\n(I)mport key from the server (I).\n(Q)uit.\nChoose your action: I or Q:<strong> I<\/strong>\n\n* Provide the Key generated by the server.\n* The best approach is to cut and paste it.\n*** OBS: Do not include spaces or new lines.\n\nPaste it here (or '\\q' to quit): <strong>MDAxIGRyc2VydmVyIDE5Mi4xNjguNDMuMjM3IGM5MmVmZTBlMmY5ODMyNzc3ZjhmOGJhYTNhNzk4OGI1MzllZTIxYzMxMmYyZmNiNjZkYzA3ODU0NGI0M2MzOTI=<\/strong>\n\nAgent information:\nID:001\nName:drserver\nIP Address:192.168.43.237\n\nConfirm adding it?(y\/n): <strong>y<\/strong>\nAdded.\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-hids-agent\">Start HIDS Agent<\/h4>\n\n\n\n<p>Start and Enable OSSEC agent to start on system reboot<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable ossec\nsystemctl start ossec<\/code><\/pre>\n\n\n\n<p>You can verify that the agent is communicating with the server by checking the ossec agent logs as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/ossec\/logs\/ossec.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\n2023\/05\/13 17:18:17 ossec-agentd: INFO: Started (pid: 3677).\n2023\/05\/13 17:18:17 ossec-agentd: INFO: Server 1: 192.168.43.101\n2023\/05\/13 17:18:17 ossec-agentd: INFO: Trying to connect to server 192.168.43.101, port 1514.\n<strong>2023\/05\/13 17:18:17 INFO: Connected to 192.168.43.101 at address 192.168.43.101, port 1514<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"restart-ossim-server-ossec-hids\">Restart OSSIM Server OSSEC HIDS<\/h3>\n\n\n\n<p>On the Server, restart OSSEC HIDS. <\/p>\n\n\n\n<p>Navigate to <strong>Environment<\/strong> &gt; <strong>Detection<\/strong> &gt; <strong>HIDS<\/strong> &gt; <strong>HIDS Control &gt; <span class=\"running\">HIDS service is UP<\/span> &gt; RESTART.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-agent-status-on-ossim-server\">Verify Agent Status on OSSIM Server<\/h3>\n\n\n\n<p>If you check the status of the agent on <strong>Environment<\/strong> &gt; <strong>Detection<\/strong> &gt; <strong>HIDS<\/strong> &gt; <strong>Agent<\/strong>, it should be active and it should now be able to send logs to OSSIM server.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1458\" height=\"526\" src=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/active-agent.png\" alt=\"\" class=\"wp-image-591\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/active-agent.png 1458w, https:\/\/kifarunix.com\/wp-content\/uploads\/2018\/09\/active-agent-768x277.png 768w\" sizes=\"(max-width: 1458px) 100vw, 1458px\" \/><\/figure>\n\n\n\n<p>In case you experience any hitch, you can use the log path mentioned above to find out what the issue is. <\/p>\n\n\n\n<p>You can also check HIDS logs from the server, <strong>Environment<\/strong> &gt; <strong>Detection<\/strong> &gt; <strong>HIDS<\/strong> &gt; <strong>HIDS Control<\/strong> &gt; <strong>HIDS LOG<\/strong>.<\/p>\n\n\n\n<p>You have now successfully installed and set up OSSEC HIDS agent on a Linux host and should be able to monitor the host.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p> <a href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-alienvault-hids-agent-on-a-windows-host\/\" target=\"_blank\" rel=\"noopener\">Install and Configure AlienVault HIDs Agent on Windows System Host<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/\" target=\"_blank\" rel=\"noopener\">how to install OSSEC agent on Ubuntu 18.04\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, we are going to learn how to install and configure AlienVault HIDS agent on a Linux host. AlienVault uses OSSEC HIDS agents<\/p>\n","protected":false},"author":1,"featured_media":16605,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,103,121,72,42],"tags":[104,119,6676,6674,118,6675,117],"class_list":["post-585","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-alienvault","category-howtos","category-monitoring","category-siem","tag-alienvault","tag-alienvault-hids","tag-alienvault-hids-agent","tag-install-and-configure-alienvault-hids-agent-on-a-linux-host","tag-ossec-agent","tag-ossec-agent-linux-install","tag-ossec-hids","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/585"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=585"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/585\/revisions"}],"predecessor-version":[{"id":21001,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/585\/revisions\/21001"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16605"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}