Installation 2.9.2 :
wget -U ossec https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz
tar -zxvf 2.9.2.tar.gz
cd ossec-hids-2.9.2
./install.sh
...Configuration de l’agent côté serveur :
# /home/ossecdnc/public_html/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: vpsxxxx
* The IP Address of the new agent: xxx.xxx.xxx.xxx
* An ID for the new agent[013]:
Agent information:
ID:013
Name:vpsxxxx
IP Address:xxx.xxx.xxx.xxx
Confirm adding it?(y/n): y
Agent added.Extraction de la clef :
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: e
Available agents:
...
ID: 013, Name: vpsxxxx, IP: xxx.xxx.xxx.xxx
Provide the ID of the agent to extract the key (or '\q' to quit): 013
Agent key information for '013' is:
MDEzIHZwczIyMzTUuMzcuMTY0IDgyM2UzOTc1YWU1ODk1MGEyYWE2OTE3MTE3NDE0NjVi
NzVlZWYyZTAzZjU3Y2I5MjYmI1NzlkMThmYTg=
** Press ENTER to return to the main menu.Coté agent :
Attention : bien s’assurer que la clé copiée à l’étape précédente ne contient pas un retour à la ligne.
Importation de la clé :
cd /var/ossec/bin
# ./manage_agents
****************************************
* OSSEC HIDS v2.9.2 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: i
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDEzIHZwczIyMzTUuMzcuMTY0IDgyM2UzOTc1YWU1ODk1MGEyYWE2OTE3MTE3NDE0NjVi
NzVlZWYyZTAzZjU3Y2I5MjYmI1NzlkMThmYTg=
Agent information:
ID:013
Name:vpsxxxxxx
IP Address:xxx.xxx.xxx.xxx
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.Editer le fichier /var/ossec/etc/ossec-agent.conf :
vim /var/ossec/etc/ossec.conf et indiquer l’adresse du serveur Ossec :
<!-- OSSEC example config -->
<ossec_config>
<client>
<server-ip>xxx.xxx.xxx.xxx</server-ip>
</client>Nota : Sur Centos, il existe un lien symbolique vers le fichier /var/ossec/etc/ossec-agent.conf. Ce n’est pas le cas sur Ubuntu.
# readlink -f /var/ossec/etc/ossec.conf
/var/ossec/etc/ossec-agent.confOuverture du firewall côté agent
Ossec utilise UDP 1514 pour dialoguer avec les agents.
Vérifier la connexion avec le serveur :
# netstat -pun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 x.x.x.x:40402 y.y.y.y:1514 ESTABLISHED 11017/ossec-agentdAprès l’installation...
Redémarrer le serveur :
...
Redémarrer l’agent :
# /var/ossec/bin/ossec-control stop
...
# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS 2.9.2 (by Trend Micro Inc.)...
...
Completed.Constater la communication avec le serveur
Erreurs
ossec-logcollector(1202) : ERROR : Configuration error at ’/va r/ossec/etc/shared/agent.conf’. Exiting
/var/ossec/logs/ossec.log :
2017/11/25 10:02:34 ossec-execd : INFO : Started (pid : 2226).
2017/11/25 10:02:34 ossec-agentd(1410) : INFO : Reading authentication keys file.
2017/11/25 10:02:34 ossec-agentd : INFO : No previous counter available for ’vps223233’.
2017/11/25 10:02:34 ossec-agentd : INFO : Assigning counter for agent vps223233 : ’0:0’.
2017/11/25 10:02:34 ossec-agentd : INFO : Assigning sender counter : 0:430
2017/11/25 10:02:34 ossec-agentd : INFO : Started (pid : 2230).
2017/11/25 10:02:34 ossec-agentd : INFO : Server 1 : 51.255.33.89
2017/11/25 10:02:34 ossec-agentd : INFO : Trying to connect to server 51.255.33.89, port 1514.
2017/11/25 10:02:34 ossec-logcollector : Remote commands are not accepted from the manager. Ignoring it on the agent.conf
2017/11/25 10:02:34 ossec-logcollector(1202) : ERROR : Configuration error at ’/var/ossec/etc/shared/agent.conf’. Exiting.
2017/11/25 10:02:34 INFO : Connected to 51.255.33.89 at address 51.255.33.89, port 1514
2017/11/25 10:02:34 ossec-syscheckd(1756) : ERROR : Duplicated directory given : ’/etc’.
2017/11/25 10:02:34 ossec-syscheckd(1756) : ERROR : Duplicated directory given : ’/bin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Started (pid : 2238).
2017/11/25 10:02:38 ossec-rootcheck : INFO : Started (pid : 2238).
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/boot’, with options perm | size | owner | group | md5sum | sha1sum | realtime | report_changes.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/etc’, with options perm | size | owner | group | md5sum | sha1sum | realtime | report_changes.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/local/etc’, with options perm | size | owner | group | md5sum | sha1sum | realtime | report_changes.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/bin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/bin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/sbin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/sbin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/lib’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/lib64’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/lib’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/lib64’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/local/bin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/local/sbin’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/local/lib’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Monitoring directory : ’/usr/local/lib64’, with options perm | size | owner | group | md5sum | sha1sum | realtime.
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/mtab’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/hosts.deny’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/mail/statistics’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/random-seed’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/random.seed’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/adjtime’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/httpd/logs’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/utmpx’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/wtmpx’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/cups/certs’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/dumpdates’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/svc/volatile’
2017/11/25 10:02:38 ossec-syscheckd : INFO : ignoring : ’/etc/mnttab’
2017/11/25 10:02:38 ossec-syscheckd : INFO : No diff for file : ’/etc/ssl/private.key’
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/boot’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/etc’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/local/etc’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/bin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/bin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/sbin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/sbin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/lib’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/lib64’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/lib’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/lib64’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/local/bin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/local/sbin’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/local/lib’.
2017/11/25 10:02:38 ossec-syscheckd : INFO : Directory set for real time monitoring : ’/usr/local/lib64’.
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/messages’.
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/secure’.
2017/11/25 10:02:40 ossec-logcollector(1103) : ERROR : Could not open file ’/var/log/xferlog’ due to [(2)-(No such file or directory)].
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/xferlog’.
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/maillog’.
2017/11/25 10:02:40 ossec-logcollector(1103) : ERROR : Could not open file ’/var/www/logs/access_log’ due to [(2)-(No such file or directory)].
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/www/logs/access_log’.
2017/11/25 10:02:40 ossec-logcollector(1103) : ERROR : Could not open file ’/var/www/logs/error_log’ due to [(2)-(No such file or directory)].
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/www/logs/error_log’.
2017/11/25 10:02:40 ossec-logcollector : WARN : Duplicated log file given : ’/var/log/messages’.
2017/11/25 10:02:40 ossec-logcollector(1103) : ERROR : Could not open file ’/var/log/auth.log’ due to [(2)-(No such file or directory)].
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/auth.log’.
2017/11/25 10:02:40 ossec-logcollector(1103) : ERROR : Could not open file ’/var/log/syslog’ due to [(2)-(No such file or directory)].
2017/11/25 10:02:40 ossec-logcollector(1950) : INFO : Analyzing file : ’/var/log/syslog’.
2017/11/25 10:02:40 ossec-logcollector : INFO : Started (pid : 2234).
2017/11/25 10:02:42 ossec-logcollector : WARN : Process locked. Waiting for permission...
2017/11/25 10:02:44 ossec-agentd(1218) : ERROR : Unable to send message to ’server’.
017/11/25 10:02:44 ossec-agentd(1218) : ERROR : Unable to send message to ’server’.
2017/11/25 10:02:56 ossec-agentd(1218) : ERROR : Unable to send message to ’server’.
2017/11/25 10:02:57 ossec-agentd(4101) : WARN : Waiting for server reply (not started). Tried : ’51.255.33.89’.
2017/11/25 10:02:59 ossec-agentd : INFO : Trying to connect to server 51.255.33.89, port 1514.
2017/11/25 10:02:59 INFO : Connected to 51.255.33.89 at address 51.255.33.89, port 1514
2017/11/25 10:03:09 ossec-agentd(1218) : ERROR : Unable to send message to ’server’.
2017/11/25 10:03:21 ossec-agentd(1218) : ERROR : Unable to send message to ’server’.
2017/11/25 10:03:22 ossec-agentd(4101) : WARN : Waiting for server reply (not started). Tried : ’51.255.33.89’.
2017/11/25 10:03:40 ossec-syscheckd : INFO : Starting syscheck scan (forwarding database).
2017/11/25 10:03:40 ossec-syscheckd : WARN : Process locked. Waiting for permission...
etc.
Debugging :
Voir : How to debug ossec ?
Editer le fichier /var/ossec/etc/internal_options.conf pour :
# Log collector (server, local or unix agent)
logcollector.debug=1Erreurs au premier démarrage : ossec-execd not running...
root@vps99861 [/var/ossec/bin]# ./ossec-control start
Starting OSSEC HIDS v2.9.2 (by Trend Micro Inc.)...
Started ossec-execd...
2017/12/07 23:25:58 ossec-agentd : INFO : Using notify time : 600 and max time to r
econnect : 1800
Started ossec-agentd...
2017/12/07 23:25:58 ossec-logcollector(1226) : ERROR : Error reading XML file ’/va
r/ossec/etc/shared/agent.conf’ : XMLERR : File ’/var/ossec/etc/shared/agent.conf’
not found. (line 89).
Started ossec-logcollector...
2017/12/07 23:25:58 ossec-syscheckd(1226) : ERROR : Error reading XML file ’/var/o
ssec/etc/shared/agent.conf’ : XMLERR : File ’/var/ossec/etc/shared/agent.conf’ not
found. (line 89).
2017/12/07 23:25:58 ossec-syscheckd(1226) : ERROR : Error reading XML file ’/var/o
ssec/etc/shared/agent.conf’ : XMLERR : File ’/var/ossec/etc/shared/agent.conf’ not
found. (line 89).
Started ossec-syscheckd...
Completed.
root@vps99861 [/var/ossec/bin]# ./ossec-control status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd not running...
root@vps99861 [/var/ossec/bin]#
RSS 2.0