Thanks for including your notes (some comments in-line). I'll try to add some kind of walk through to the documentation when I can make time for it.
On Thu, May 30, 2019 at 2:53 PM Kris Springer <[email protected]> wrote: > > Thanks Dan. I've got it figured out now. Here's my instructions for anyone > else who comes across this thread. > ---------------------------------------------------- > > The Security Onion server already has the Ossec Server running. You must > define each client, called an ‘agent’ that is allowed to send info to the > server. > > > On the Security Onion Server > > You must make sure UDP port 1514 is allowed on the server or it won’t allow > agents to connect. > > $ sudo ufw status > > $ sudo ufw allow 1514/udp > > $ sudo ufw status > > > Add a new agent (client machine) > This is actually the manage_agents menu from the server. The agent's manage_agents should only have: **************************************** * OSSEC HIDS v3.2.0 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. > $ sudo /var/ossec/bin/manage_agents > > L lists all agents (clients) that are currently configured > > A add an agent > > Name the new agent. This can be any name, but ideally it should be the FQDN > if its a server. > > Define the static IP the agent will be coming from. It must have the subnet > slash on the end. > If that's true, then there is a regression somewhere (or it's a wazuh change). It's never needed the subnet stuff on complete IP addresses in the past. > Every agent gets a unique 3 digit ID number. > > Click here to see all syntax options > > [sample] > > LinuxServer1 > > 10.11.12.33/24 (can also be ‘any’ if on DHCP. see syntax options) > > > L to see the newly added agent in the list. > > E to get the Auth Key you need to copy and apply when installing on the client > > Q to quit the manager. > > Note: if removing agents, their ID numbers are not reusable. > > > On the Linux Client machine (also known as the agent) > > Install instructions found here http://www.ossec.net/downloads/ > > > $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash > > $ sudo apt update > > $ sudo apt install ossec-hids-agent > > > Define the Security Onion Server IP address. > > $ sudo nano /var/ossec/etc/ossec.conf > > > Import the Auth Key that you copied from the server. > > $ sudo /var/ossec/bin/manage_agents > > > Start the ossec agent service. > > $ sudo service ossec start > > $ sudo service ossec status > > > Check the logs to make sure it connected to the server. > > You may also see a few access errors for non-existent log files. > > $ sudo cat /var/ossec/logs/ossec.log > > > > View some logs on Security Onion Server > > Check the ‘HIDS’ alerts in Kibana to see if your new agent shows up as a new > connection. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/1b285f8a-ba13-45fd-9ce8-85ad6936b42c%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpf2QoiLXfF-Msx1GHs7xB08z%2B5weRVmZ-HGAd3YjSqKw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
