If you have an existing OSSEC server this tutorial will show you how to add a linux endpoint which we want to monitor as an agent.
Now on this new server (also ubuntu) we run very similar commands as for the OSSEC monitoring Server; We need to update our repo and install required dependency’s.
sudo apt-get update
sudo apt-get install build-essential
sudo apt install libpcre2-dev zlib1g-dev
Download the latest build to the tmp folder
wget https://github.com/ossec/ossec-hids/archive/3.3.0.tar.gz -P /tmp
sudo tar -zxvf 3.3.0.tar.gz
Go to the directory, then install
sudo PCRE2_SYSTEM=yes ./install.sh
Now you will need to answer the questions:
- Installation type – agent
- Where to install – use the default (just hit enter)
- Server IP address (this is the IP address of your monitoring server)
- Run Integrity Check – y
- Run rootkit detection – y
- Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
- Hit enter – If you get any errors then most likely your build-essential has not installed correctly)
Now back to the OSSEC Server so we can add the new agent allowing the two to communicate.
Select ‘a’ from the options and complete the details for the agent.
Now the agent is added we need to extract the unique key and import it to the agent server.
Select option ‘e’ then make a note of the key or paste it into a file.
When finished select ‘q’ to quit.
Now we return the the agent Server and run
This time select ‘i’ to import, then copy or paste your key as instructed.
If the key is correct you should get a success message.
Now we need to restart our agent server, then log back in and check that OSSEC is running.
sudo /var/ossec/bin/ossec-control status
If it is not running then use
sudo /var/ossec/bin/ossec-control start
Back on the monitoring server we need to restart the services like so.
sudo /var/ossec/bin/ossec-control restart
That’s it. If you setup email alerts you will already have some notifying you of logins and agents being added.
If the agent is not reporting you may need to open the host based firewall to allow 1514 which is the port OSSEC uses.
ufw allow 1514/udp
In a future blog we will look at adding our own alerts.