Thanks Dan. I've got it figured out now. Here's my instructions for anyone else who comes across this thread. ----------------------------------------------------
The Security Onion server already has the Ossec Server running. You must define each client, called an ‘agent’ that is allowed to send info to the server. On the Security Onion Server You must make sure UDP port 1514 is allowed on the server or it won’t allow agents to connect. $ sudo ufw status $ sudo ufw allow 1514/udp $ sudo ufw status Add a new agent (client machine) $ sudo /var/ossec/bin/manage_agents L lists all agents (clients) that are currently configured A add an agent Name the new agent. This can be any name, but ideally it should be the FQDN if its a server. Define the static IP the agent will be coming from. It must have the subnet slash on the end. Every agent gets a unique 3 digit ID number. Click here to see all syntax options <http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html#manage-agents-on-the-ossec-server> [sample] LinuxServer1 10.11.12.33/24 (can also be ‘any’ if on DHCP. see syntax options) L to see the newly added agent in the list. E to get the Auth Key you need to copy and apply when installing on the client Q to quit the manager. Note: if removing agents, their ID numbers are not reusable. On the Linux Client machine (also known as the agent) Install instructions found here http://www.ossec.net/downloads/ $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash $ sudo apt update $ sudo apt install ossec-hids-agent Define the Security Onion Server IP address. $ sudo nano /var/ossec/etc/ossec.conf Import the Auth Key that you copied from the server. $ sudo /var/ossec/bin/manage_agents Start the ossec agent service. $ sudo service ossec start $ sudo service ossec status Check the logs to make sure it connected to the server. You may also see a few access errors for non-existent log files. $ sudo cat /var/ossec/logs/ossec.log View some logs on Security Onion Server Check the ‘HIDS’ alerts in Kibana to see if your new agent shows up as a new connection. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/1b285f8a-ba13-45fd-9ce8-85ad6936b42c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
