{"id":6227,"date":"2020-06-22T20:31:45","date_gmt":"2020-06-22T17:31:45","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6227"},"modified":"2024-03-14T21:13:31","modified_gmt":"2024-03-14T18:13:31","slug":"install-ossec-hids-agent-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-ossec-hids-agent-on-ubuntu-20-04\/","title":{"rendered":"Install OSSEC HIDS Agent on Ubuntu 20.04"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1055\" height=\"589\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent-linux.png\" alt=\"Install OSSEC HIDS Agent on Ubuntu\" class=\"wp-image-16885\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent-linux.png?v=1685474390 1055w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/05\/install-ossec-agent-linux-768x429.png?v=1685474390 768w\" sizes=\"(max-width: 1055px) 100vw, 1055px\" \/><\/figure>\n\n\n\n<p>This tutorial will guide you on how to install OSSEC HIDS agent on Ubuntu 20.04 system from the source tarball. <a href=\"https:\/\/www.ossec.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">OSSEC<\/a>&nbsp;is an Open Source Host based Intrusion Detection System that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs across multiple platforms including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows etc.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-ossec-hids-agent-on-ubuntu-20-04\">Installing OSSEC HIDS Agent on Ubuntu 20.04<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-required-dependencies\">Install Required Dependencies<\/a><\/li><li><a href=\"#download-latest-ossec-source-code\">Download Latest OSSEC Source Code<\/a><\/li><li><a href=\"#extract-ossec-source-code\">Extract OSSEC Source Code<\/a><\/li><li><a href=\"#installing-ossec-hids-agent\">Installing OSSEC HIDS Agent<\/a><\/li><li><a href=\"#connect-the-ossec-agent-to-ossec-server\">Connect the OSSEC Agent to OSSEC Server<\/a><\/li><li><a href=\"#running-ossec-agent\">Running OSSEC Agent<\/a><\/li><\/ul><\/li><li><a href=\"#further-reading\">Further Reading<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-ossec-hids-agent-on-ubuntu-20-04\">Installing OSSEC HIDS Agent on Ubuntu 20.04<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>To begin with, ensure that your system package cache is up-to-date.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-required-dependencies\">Install Required Dependencies<\/h3>\n\n\n\n<p>A successful build and installation of OSSEC HIDS agent on Ubuntu 20.04 from the source requires quite a number of dependencies to be installed on the system. Run the command below to install these dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install gcc make libevent-dev zlib1g-dev  libssl-dev libpcre2-dev wget tar -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"download-latest-ossec-source-code\">Download Latest OSSEC Source Code<\/h3>\n\n\n\n<p>OSSEC 3.7 is the latest stable release version as of this writing. Check the&nbsp;<a href=\"https:\/\/github.com\/ossec\/ossec-hids\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">releases page<\/a>&nbsp;for the latest releases.<\/p>\n\n\n\n<p>Replace the value of VER with the current release version of OSSEC agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.7.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/${VER}.tar.gz -P \/tmp<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extract-ossec-source-code\">Extract OSSEC Source Code<\/h3>\n\n\n\n<p>Once the OSSEC source download is completed, extract it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd \/tmp<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf ${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"installing-ossec-hids-agent\">Installing OSSEC HIDS Agent<\/h3>\n\n\n\n<p>To install OSSEC agent, navigate to the source code directory and run the installation script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-${VER}\/<\/code><\/pre>\n\n\n\n<p>Execute the installation group;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>Select you installation language. In this case, we choose the default install language, English.<\/p>\n\n\n\n<p>Press ENTER to choose default installation options or select your language from the list.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: <strong>ENTER<\/strong><\/code><\/pre>\n\n\n\n<p>Again, press ENTER to continue.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-- Press ENTER to continue or Ctrl-C to abort. --<\/code><\/pre>\n\n\n\n<p>Specify the type of installation. In our case, we are installing ossec-hids&nbsp;<code>agent<\/code>, hence select agent.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? <strong>agent<\/strong>\n\n  - Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Choose the installation path. We go with the default,&nbsp;<code>\/var\/ossec<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS [\/var\/ossec]: <strong>ENTER<\/strong>\n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <strong>192.168.56.11<\/strong>                  \n\n   - Adding Server IP 192.168.56.11\n<\/code><\/pre>\n\n\n\n<p>Enable system integrity check<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.2- Do you want to run the integrity check daemon? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running syscheck (integrity check daemon).<\/code><\/pre>\n\n\n\n<p>Enable rootkit detection engine.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: <strong>y<\/strong>\n\n   - Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.4 - Do you want to enable active response? (y\/n) [y]: <strong>n<\/strong>\n\n   - Active response disabled.<\/code><\/pre>\n\n\n\n<p>The agent installer then displays the log files that are read by default. You can add more later on&nbsp;<code>ossec.conf<\/code>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>  3.5- Setting the configuration to analyze the following logs:\n    -- \/var\/log\/messages\n    -- \/var\/log\/secure\n    -- \/var\/log\/maillog\n...<\/code><\/pre>\n\n\n\n<p>Once you are done defining the default options, proceed to install OSSEC agent on Ubuntu 20.04 by pressing ENTER.<\/p>\n\n\n\n<p>Once the agent is installed, you will see an output similar to;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n - System is Debian (Ubuntu or derivative).\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n<\/code><\/pre>\n\n\n\n<p>Press ENTER to close the installer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-the-ossec-agent-to-ossec-server\">Connect the OSSEC Agent to OSSEC Server<\/h3>\n\n\n\n<p>For the agent to communicate with the server;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can need to first add it to the HIDS server, in our case we used AlienVault OSSIM.<\/li>\n\n\n\n<li>After that extract the agent authentication key from the server.<\/li>\n<\/ul>\n\n\n\n<p>Once you have extracted the key, Import the key on the agent by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Enter option<strong>&nbsp;I<\/strong>,&nbsp;<strong>paste the key<\/strong>&nbsp;and<strong>&nbsp;confirm adding the key<\/strong>. Then type&nbsp;<strong>Q<\/strong>&nbsp;and&nbsp;<strong>press enter<\/strong>&nbsp;to exit.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager.     *\n* The following options are available: *\n****************************************\n   (I)mport key from the server (I).\n   (Q)uit.\n<strong>Choose your action: I or Q: I\n<\/strong>\n* Provide the Key generated by the server.\n* The best approach is to cut and paste it.\n*** OBS: Do not include spaces or new lines.\n\n<strong>Paste it here (or '\\q' to quit): NSttstGSTsgspsgsjshsYmV5a2ktb3Blbnzk999383nndZwbiAxMC43LjMuNTggMWQyNzBjZTZlNzI2OGI2MWUzOWQ4NTg4YjgwM2ZjNDhhZWY2OTQxZTU2OWE2M2U3MjQ1N2Y1w==<\/strong>\n\nAgent information:\n   ID:10\n   Name:koromicha\n   IP Address:192.168.43.17\n\n<strong>Confirm adding it?(y\/n): y<\/strong>\n2023\/05\/30 18:05:57 manage_agents: ERROR: Cannot unlink \/queue\/rids\/sender: No such file or directory\nAdded.\n** Press ENTER to return to the main menu.\n\n\n\n****************************************\n* OSSEC HIDS v3.7.0 Agent manager.     *\n* The following options are available: *\n****************************************\n   (I)mport key from the server (I).\n   (Q)uit.\n<strong>Choose your action: I or Q: q<\/strong>\n\n** You must restart OSSEC for your changes to take effect.\n\nmanage_agents: Exiting.\nmanage_agents: Exiting.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-ossec-agent\">Running OSSEC Agent<\/h3>\n\n\n\n<p>Once the installation completes, the installer displays how to run OSSEC agent.<\/p>\n\n\n\n<p>To start the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start ossec<\/code><\/pre>\n\n\n\n<p>To stop the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control stop<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop ossec<\/code><\/pre>\n\n\n\n<p>Other unit service control commands;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control {start|stop|reload|restart|status}<\/code><\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control status<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ossec-logcollector is running...\nossec-syscheckd is running...\nossec-agentd is running...\nossec-execd not running...<\/code><\/pre>\n\n\n\n<p>Check the logs to see if the agent has connected to the server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/ossec\/logs\/ossec.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>2023\/05\/30 18:10:57 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.56.11'.\n2023\/05\/30 18:10:58 ossec-agentd: INFO: Trying to connect to server 192.168.56.11, port 1514.\n2023\/05\/30 18:11:57<strong> INFO: Connected to 192.168.56.11 at address 192.168.56.11, port 1514\n<\/strong>...<\/code><\/pre>\n\n\n\n<p>You have successfully installed OSSEC agent on Ubuntu 20.04 and connected it to the HIDS server.<\/p>\n\n\n\n<p>Login back to the HIDs server, restart the HIDS server service and check if the agent is active.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"further-reading\">Further Reading<\/h2>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/www.ossec.net\/docs\/\" target=\"_blank\">OSSEC Documentation<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h2>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-ossec-agent-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install OSSEC Agent on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-ossec-agent-on-debian-10-buster\/\" target=\"_blank\">Install OSSEC Agent on Debian 10 Buster<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-mac-os-x\/\" target=\"_blank\">How to Install OSSEC Agent on Mac OS<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-solaris-11-4\/\" target=\"_blank\">How to Install OSSEC Agent on Solaris 11.4<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial will guide you on how to install OSSEC HIDS agent on Ubuntu 20.04 system from the source tarball. OSSEC&nbsp;is an Open Source Host<\/p>\n","protected":false},"author":1,"featured_media":16886,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,72,273],"tags":[1718,1717,1719,117,1200],"class_list":["post-6227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-monitoring","category-ossec","tag-install-ossec-agent","tag-install-ossec-agent-from-source-on-ubuntu-20-04","tag-install-ossec-hids-on-ubuntu-20-04","tag-ossec-hids","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6227"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6227"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6227\/revisions"}],"predecessor-version":[{"id":21417,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6227\/revisions\/21417"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16886"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}