{"id":9574,"date":"2021-07-09T21:55:04","date_gmt":"2021-07-09T18:55:04","guid":{"rendered":"https:\/\/kifarunix.com\/?p=9574"},"modified":"2024-03-18T19:48:46","modified_gmt":"2024-03-18T16:48:46","slug":"install-ossec-agent-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-ossec-agent-on-rocky-linux-8\/","title":{"rendered":"Install OSSEC Agent on Rocky Linux 8"},"content":{"rendered":"\n<p>This guide presents a step-by-step tutorial on how to install OSSEC Agent on Rocky Linux 8.&nbsp;<a href=\"https:\/\/www.ossec.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">OSSEC<\/a>&nbsp;is an Open Source Host based Intrusion Detection System that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs across multiple platforms including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows etc.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing OSSEC Agent on Rocky Linux 8<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Run system Update<\/h3>\n\n\n\n<p>Before you proceed with installation, run system update.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Required Build Tools<\/h3>\n\n\n\n<p>A successful installation of OSSEC on Rocky Linux 8 requires quite a number of dependencies to be installed on the system. Run the command below to install these dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install gcc make libevent-devel zlib-devel openssl-devel pcre2-devel wget tar -y<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Download Latest OSSEC Source Code<\/h3>\n\n\n\n<p>OSSEC 3.6 is the latest stable release as of this writing. Check the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/ossec\/ossec-hids\/releases\" target=\"_blank\">releases page<\/a>&nbsp;for the latest releases.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/ossec\/ossec-hids\/archive\/3.6.0.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Extract OSSEC Source Code<\/h3>\n\n\n\n<p>Once the OSSEC source download is completed, extract it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf 3.6.0.tar.gz<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install OSSEC Agent<\/h3>\n\n\n\n<p>There are two ways in which you can now install OSSEC agent.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#manual-install\">Manual Installation<\/a><\/li>\n\n\n\n<li><a href=\"#automate-installation\">Automated Installation<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"manual-install\">Manual Installation of OSSEC agent on Rocky Linux 8<\/h4>\n\n\n\n<p>To manually install OSSEC agent, navigate to the source code directory and run the installation script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids-3.6.0\/<\/code><\/pre>\n\n\n\n<p>Execute the installation group;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<p>Select you installation language. In this case, we choose the default install language, English.<\/p>\n\n\n\n<p>Press ENTER to choose default installation options.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: ENTER<\/code><\/pre>\n\n\n\n<p>Again, press ENTER to continue.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>-- Press ENTER to continue or Ctrl-C to abort. --<\/code><\/pre>\n\n\n\n<p>Specify the type of installation. In our case, we are installing ossec-hids&nbsp;<code>agent<\/code>, hence select agent.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1- What kind of installation do you want (server, agent, local, hybrid or help)? agent\n\n  - Agent(client) installation chosen.<\/code><\/pre>\n\n\n\n<p>Choose the installation path. We go with the default,&nbsp;<code>\/var\/ossec<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2- Setting up the installation environment.\n\n - Choose where to install the OSSEC HIDS &#91;\/var\/ossec]: \n\n    - Installation will be made at  \/var\/ossec .<\/code><\/pre>\n\n\n\n<p>Enter the OSSEC-HIDs Server IP address or hostname. Replace the IP used here accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>3- Configuring the OSSEC HIDS.\n\n  3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.60.20                 \n\n   - Adding Server IP 192.168.60.20\n<\/code><\/pre>\n\n\n\n<p>Enable system integrity check<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  3.2- Do you want to run the integrity check daemon? (y\/n) &#91;y]: y\n\n   - Running syscheck (integrity check daemon).<\/code><\/pre>\n\n\n\n<p>Enable rootkit detection engine.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  3.3- Do you want to run the rootkit detection engine? (y\/n) &#91;y]: \n\n   - Running rootcheck (rootkit detection).<\/code><\/pre>\n\n\n\n<p>Disable active response. Otherwise, you can enable it if you an understanding of the type and number of alerts you want.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  3.4 - Do you want to enable active response? (y\/n) &#91;y]: n\n\n   - Active response disabled.<\/code><\/pre>\n\n\n\n<p>The agent installer then displays the log files that are read by default. You can add more later on&nbsp;<code>ossec.conf<\/code>&nbsp;file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  3.5- Setting the configuration to analyze the following logs:\n    -- \/var\/log\/messages\n    -- \/var\/log\/secure\n    -- \/var\/log\/maillog\n...<\/code><\/pre>\n\n\n\n<p>Once you are done defining the default options, proceed to install OSSEC agent by pressing ENTER.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n - System is Redhat Linux.\n - Init script modified to start OSSEC HIDS during boot.\n\n - Configuration finished properly.\n\n - To start OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control start\n\n - To stop OSSEC HIDS:\n      \/var\/ossec\/bin\/ossec-control stop\n\n - The configuration can be viewed or modified at \/var\/ossec\/etc\/ossec.conf\n\n\n    Thanks for using the OSSEC HIDS.\n    If you have any question, suggestion or if you find any bug,\n    contact us at https:\/\/github.com\/ossec\/ossec-hids or using\n    our public maillist at  \n    https:\/\/groups.google.com\/forum\/#!forum\/ossec-list\n\n    More information can be found at http:\/\/www.ossec.net\n\n    ---  Press ENTER to finish (maybe more information below). ---\n    \n\n\n - You first need to add this agent to the server so they \n   can communicate with each other. When you have done so,\n   you can run the 'manage_agents' tool to import the \n   authentication key from the server.\n   \n   \/var\/ossec\/bin\/manage_agents\n\n   More information at: \n   http:\/\/www.ossec.net\/en\/manual.html#ma\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"automate-installation\">Automated Installation of OSSEC Agent<\/h4>\n\n\n\n<p>To automate the installation of OSSEC agent, navigate to the source code directory and run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ossec-hids*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp etc\/preloaded-vars.conf{.example,}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i -e 's\/#USER_LANGUAGE=\"en\"\/USER_LANGUAGE=\"en\"\/' -e 's\/#USER_NO_STOP=\"y\"\/USER_NO_STOP=\"y\"\/' \\\n  -e 's\/#USER_INSTALL_TYPE=\"agent\"\/USER_INSTALL_TYPE=\"agent\"\/' -e 's\/#USER_DIR=\"\\\/var\\\/ossec\"\/USER_DIR=\"\\\/var\\\/ossec\"\/'\\\n  -e 's\/#USER_ENABLE_ACTIVE_RESPONSE=\"y\"\/USER_ENABLE_ACTIVE_RESPONSE=\"n\"\/' -e 's\/#USER_ENABLE_SYSCHECK=\"y\"\/USER_ENABLE_SYSCHECK=\"y\"\/' \\\n  -e 's\/#USER_ENABLE_ROOTCHECK=\"y\"\/USER_ENABLE_ROOTCHECK=\"y\"\/' \\\n  -e 's\/# USER_AGENT_SERVER_IP=\"1.2.3.4\"\/ USER_AGENT_SERVER_IP=\"192.168.60.20\"\/' etc\/preloaded-vars.conf<\/code><\/pre>\n\n\n\n<p>Replace the 192.168.60.20 above with the IP address of your OSSEC server.<\/p>\n\n\n\n<p>Next, run the installation;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/install.sh<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Connect the OSSEC Agent to OSSEC Server<\/h3>\n\n\n\n<p>For the agent to communicate with the server, you can need to first add it to the server.<\/p>\n\n\n\n<p>After that extract the agent authentication key from the server.<\/p>\n\n\n\n<p>Once you have extracted the key, Import the key on the agent by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/manage_agents<\/code><\/pre>\n\n\n\n<p>Enter option<strong>&nbsp;I<\/strong>,&nbsp;<strong>paste the key<\/strong>&nbsp;and<strong>&nbsp;confirm adding the key<\/strong>. Then type&nbsp;<strong>Q<\/strong>&nbsp;and&nbsp;<strong>press enter<\/strong>&nbsp;to exit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running OSSEC Agent<\/h3>\n\n\n\n<p>Once the installation completes, the installer displays how to run OSSEC agent.<\/p>\n\n\n\n<p>To start the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control start<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start ossec<\/code><\/pre>\n\n\n\n<p>To stop the agent;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control stop<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop ossec<\/code><\/pre>\n\n\n\n<p>Other unit service control commands;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/var\/ossec\/bin\/ossec-control {start|stop|reload|restart|status}<\/code><\/pre>\n\n\n\n<p>You have successfully installed OSSEC agent on Rocky Linux 8 and that marks the end of our guide on how to install OSSEC agent. Stay connected for more similar tutorials.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.ossec.net\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">OSSEC Documentation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-ossec-agent-on-debian-10-buster\/\" target=\"_blank\">Install OSSEC Agent on Debian 10 Buster<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-mac-os-x\/\" target=\"_blank\">How to Install OSSEC Agent on Mac OS<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-install-ossec-agent-on-solaris-11-4\/\" target=\"_blank\">How to Install OSSEC Agent on Solaris 11.4<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-and-setup-ossec-agent-on-ubuntu-18-04-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Install and Setup OSSEC agent on Ubuntu 18.04\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide presents a step-by-step tutorial on how to install OSSEC Agent on Rocky Linux 8.&nbsp;OSSEC&nbsp;is an Open Source Host based Intrusion Detection System that<\/p>\n","protected":false},"author":3,"featured_media":9577,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,273],"tags":[3818,275,118,3819,117,3587],"class_list":["post-9574","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-ossec","tag-install-ossec-agent-rocky-linux","tag-ossec","tag-ossec-agent","tag-ossec-agent-install-rocky-linux","tag-ossec-hids","tag-rocky-linux-8","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9574"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=9574"}],"version-history":[{"count":2,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9574\/revisions"}],"predecessor-version":[{"id":21740,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/9574\/revisions\/21740"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9577"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=9574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=9574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=9574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}