Add Windows Server to OSSEC

We have already shown how to add linux servers to OSSEC, however we have not yet shown how add a Windows server.

This is just as easy as there is a Windows install package which you can get here:

Download and run the package accepting all the defaults, and you will be greeted with this.

As you can see you need the OSSEC Server IP and the Authentication key, so lets login to our OSSEC Server. Then elevate to run as root, the cd to the correct directory

sudo su
cd /var/ossec/bin/

Then to run the setup script for new clients run

./manage_agents

Select ‘a’ from the options and complete the details for the agent by adding the IP address, ID number (which will be suggested) and the name (which can be anything).

Now the agent is added we need to extract the unique key and import it to the agent server.

Select option ‘e’ then make a note of the key or paste it into a file.

When finished select ‘q’ to quit, then logout.

Back on the Windows server add these details to your OSSEC config box shown earlier and select “manage” from the top left of the pop up box and choose restart.

That’s it.

OSSEC Logs into Graylog

As you know I’m a fan of Trend Micros free HIDS (Host Intrusion Detection System) OSSEC, and that after flirting with Splunk briefly we are now using Graylog for centralised logging.

The question. can we pull our OSSEC logs into Graylog? Course we can.

In previous versions of Graylog you need to install the CEF plugin, but as we are running the latest version, the CEF input plugin is included with the install.

So first let’s login to Graylog, and select inputs

Then from the drop down menu select “CEF UDP” then click “Launch new input”

Select your node from the drop-down menu and complete the other settings as shown. (Unless you already have something running on port 5555! In which case use a different port)

Save then start the input and check that it is running.

If you are running a firewall on the graylog server you will still need to open the port on the host firewall. If you are using ufw the command will be

sudo ufw allow 5555/udp

That’s it for the Graylog server, now over to our OSSEC master Server.

Basically all we need to do is configure OSSEC to forward a copy of it’s alerts to Graylog on the port we chose earlier.

First we cd to the correct location. (This is the default location)

cd /var/ossec/etc/

This directory contains the file we need so use nano to open it.

sudo nano ossec.conf

Then inside the following tags  <ossec_config></ossec_config>

You insert the following new section (put the IP address of the Graylog server where it says “putyouriphere” although if you have DNS configured you can use its FQDN)

<syslog_output>
    <server>putyouriphere</server>
    <port>5555</port>
    <format>cef</format>
</syslog_output>

Then we need to enable the OSSEC syslog subsystem which is not running by default.

First we need to move to the bin directory of the OSSEC install

cd /var/ossec/bin/

The execute the following command

./ossec-control enable client-syslog

Then restart OSSEC.

./ossec-control restart

If all is working you should see  “csyslogd” start with the other processes

Started........
.......
Started ossec-csyslogd........
.......
........

You can also check in

/var/ossec/logs/ossec.log

by running the following

tail -n 1000 /var/ossec/logs/ossec.log | grep csyslogd

and you should be able to see an INFO entry which shows a “Forwarding alerts” message.

If you have a firewall running and have not opened the port you may need an error.

In our case we are using ufw so would run the following.

sudo ufw allow 5555/udp

That’s it. Don’t forget depending on how you have OSSEC set up, you may not have any messages immediately. If you know what alerts you have configured then trigger one of them and then check Graylog.

 

Install OSSEC on Ubuntu 16.04 To Monitor Multiple Servers

We have previously posted on how to install and configure Security Onion (see here) with a minimal guide on OSSEC.

I wanted to install OSSEC on it’s own server and monitor other servers separately from Security Onion, so here is the guide.

This was all performed on a fresh install of ubuntu 16.04

Update our repository as always.

sudo apt get update

Then we need to get the prerequesites before installing OSSEC.

sudo apt-get install build-essential

Now download the latest version

wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz

You will want to verify the checksum hash if this is going into a production environment. (We’ll do tutorial on verifying hashes in the future)

Now we extract the tar file we just downloaded

sudo tar -zxvf 2.9.2.tar.gz

I then had a folder named ossec-hids, so we cd into it

cd ossec-hids

Then run the install script.

sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – server
  • Where to install – use the default (just hit enter)
  • Email notification – y (then enter your email address and smtp details)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now were ready to fire up OSSEC

sudo /var/ossec/bin/ossec-control start

or check the status like this

sudo /var/ossec/bin/ossec-control status

Now we need to go over to our server which we want to monitor as an agent

Now on this server (also ubuntu) we run very similar commands as before:

sudo apt-get update
sudo apt-get install build-essential
wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz
sudo tar -zxvf 2.9.2.tar.gz
cd ossec-hids
sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – agent
  • Where to install – use the default (just hit enter)
  • Server IP address (this is the IP address of your monitoring server)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now back to the OSSEC Server so we can add the new agent allowing the two to communicate.

sudo /var/ossec/bin/manage_agents

Select ‘a’ from the options and complete the details for the agent.

Now the agent is added we need to extract the unique key and import it to the agent server.

Select option ‘e’ then make a note of the key or paste it into a file.

When finished select ‘q’ to quit.

Now we return the the agent Server and run

sudo /var/ossec/manage_agents

This time select ‘i’ to import, then copy or paste your key as instructed.

If the key is correct you should get a success message.

Now we need to restart our agent server, then log back in and check that OSSEC is running.

sudo /var/ossec/bin/ossec-control status

If it is not running then use

sudo /var/ossec/bin/ossec-control start

Back on the monitoring server we need to restart the services like so.

sudo /var/ossec/bin/ossec-control restart

That’s it. If you setup email alerts you will alreay have some notifying you of logins and agents being added.

In a future blog we will look at adding our own alerts.