ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    AlienVault OSSIM Agent install how-to

    IT Discussion
    alienvault ossim agent install howto
    1
    2
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1
      last edited by travisdh1

      I've added some Debian machines that needed the OSSIM agent tools installed. The process is just a little different than the documents state, so I thought I should add it here.

      In your OOSIM interface, go to ENVIRONMENT -> DETECTION -> AGENTS and click ADD AGENT
      alt text

      After the agent is added, click on the key icon for the agent you just added, and copy the line of random junk that it gives you.

      alt text

      Now on the client machine. Install the prerequisites.

      sudo apt-get install inotify-tools build-essential

      Download, unzip, and install the OSSIM source.

      wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
tar xf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3
sudo ./install.sh

      The installer will ask you for some things none of the guides I use were up to date with. For this, we just want the client, and it will ask for the server IP or FQDN. Besides that, accept the defaults and let it run.

      The client now needs the agent key entered, and the service restarted.

      sudo /var/ossec/bin/manage_agents
I

      Paste the key we copied from the server.

      y
Enter
Q
/etc/init.d/ossec restart

      Finally, we need to restart the HIDS service on the server. This should be in HIDS CONTROL in the same screen we were in before.

      alt text

      All done.

      Sources: https://www.alienvault.com/documentation/usm-v5/ids-configuration/deploying-alienvault-hids.htm#Deployin2
      https://www.linode.com/docs/security/ossec-ids-debian-7

      1 Reply Last reply Reply Quote 3
      • travisdh1T
        travisdh1
        last edited by

        Just confirmed this works on Ubuntu as well. I imagine that means Mint would also work, but have not confirmed Mint yet, and probably will not as the only installs of that I have are workstations that don't require quite the same level of monitoring.

        1 Reply Last reply Reply Quote 1
        • 1 / 1
        • First post
          Last post