Installing OSSEC for Distributed Log Monitoring

OSSEC is an open source tool for security monitoring. However it also provides some powerful tools for log monitoring on distributed systems such as our farm of test machines on our private cloud. This is a basic setup for now without any bells and whistles and without active response enabled.

Server Install steps/commands on Linux

  • You must run the install as 'root'
  • Run the following commands to download, unpack and run the install -
  • You will be prompted to answer a series of questions. The default value will be presented in square brackets. You can just hit 'Enter' for acceptable default values
    • Language:  default is [en] - accept the default and hit 'Enter'
    • Next you will be given a chance to abort the installation. Press 'Enter' to continue
    • What kind of installation do you want: 'Server'
    • Choose where to install the OSSEC HIDS [/var/ossec]: accept the default and hit 'Enter'
    • Do you want e-mail notification? (y/n) [y]:  press 'n' for 'No'
    • Do you want to run the integrity check daemon? (y/n) [y]: y for 'Yes'
    • Do you want to run the rootkit detection engine? (y/n) [y]: nfor 'No'
    • Do you want to enable active response? (y/n) [y]: y for 'Yes'
    • Do you want to enable the firewall-drop response? (y/n) [y]: nfor 'No'
    • Do you want to add more IPs to the white list? (y/n)? [n]: y for 'yes'
    • IPs (space separated): Enter a list of IP addresses for any desktops that you will be using for testing, separated by a space
    • Press 'Enter' to start the build and install
  • Edit the config file with 'vim /var/ossec/etc/ossec.conf'
    • Add yes withinin the section
  • Start the server using '/var/ossec/bin/ossec-control start'
  • Add the desktop(s) you will be monitoring logs on to the server by starting '/var/ossec/bin/manage_agents' which will lead you through a series of steps. You will be presented with the following screen -
****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: a
    • type 'a' to add an agent
    • When prompted, enter the host name of the desktop you will be monitoring and hit 'Enter'
    • When prompted enter the IP address of the desktop you will be monitoring and hit 'Enter'
    • Hit 'Enter' to accept the default ID for the agent
    • Type 'y' to confirm you want to add the new agent. Below is an example -
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: hostname
   * The IP Address of the new agent: xxx.xxx.xxx.xxx
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:hostname
   IP Address:xxx.xxx.xxx.xxx

Confirm adding it?(y/n): y
Agent added.
  • You will now need to extract the key for the desktop you added so you can install the agent on the desktop. Once you are back to the main screen of manage_agents
    • Type 'e' to invoke the extract menu. You will be presented with the list of agents.
    • Type in the ID for the agent you just created (including any leading zeros) and hit 'Enter'
    • The key will be displayed. Copy this key for the next step and quit the manage_agents app. This is what the interaction looks like -
****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: hostname, IP: xxx.xxx.xxx.xxx
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MZWEzN2IDAxIFEwLjMuMTc0LjIwNCBkNDZmMjFmTY4M2Ix1YjYyOTE2NjI3N2ExMjA2Y2VmNB0eDTk3MDEyZGU4MTkHR0YzAxI0MTZkOGYxZjFmYmFkZDdjY

** Press ENTER to return to the main menu.

Installing the desktop agent


  • Put in the IP address for the server - 10.52.136.55
  • Paste the key you created from the last section and click 'Save'. You will be shown the agent details. Click 'OK'

  • Next select View -> Config

  • Add the following section to the config within the section -
<localfile>
   <location>C:\MyApp\Log\log.txt</location>
   <log_format>syslog</log_format>
  </localfile>
  • Close and Save the file
  • Start the OSSEC agent on the desktop using Manage -> Start OSSEC

  • If you go into View -> Logs, scroll to the bottom and you should now see it connecting to the server -
2013/07/24 18:17:53 ossec-agent(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514).
2013/07/24 18:17:53 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2013/07/24 18:17:53 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
2013/07/24 18:17:54 ossec-agent(1951): INFO: Analyzing event log: 'System'.
2013/07/24 18:17:54 ossec-agent(1950): INFO: Analyzing file: 'C:\MyApp\Log\log.txt'.
2013/07/24 18:17:54 ossec-agent: INFO: Started (pid: 300).
  • If you install the Web UI below you should also see the agent displayed on that -


Web UI install steps (optional)

  • You must have apache and PHP installed to use the Web UI
  • Run the following commands -
    • cd /tmp
    • wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz
    • tar -xvzf ossec-wui-0.3.tar.gz
    • mv /tmp/ossec-wui-0.3 /var/www/
    • cd /var/www
    • /var/www/ossec-wui-0.3/setup.sh
      • admin for username
      • admin for password
    • chmod 770 /var/www/ossec-wui-0.3/
    • chgrp apache /var/www/ossec-wui-0.3/
    • vim /etc/httpd/conf/httpd.confand add the following section under 'aliases'
Alias /ossec/ "/var/www/ossec-wui-0.3/"

<Directory "/var/www/ossec-wui-0.3/">
   Options FollowSymLinks
        AllowOverride All
        Order allow,deny
   Allow from all
</Directory>
    • vim /etc/group
      • search for ossec
      • change ossec:x:47505: to ossec:x:47505:apache
    • vim /etc/php.ini
      • search for timezone and uncomment it and set it to UTC - 'date.timezone = UTC'
    • vim /var/www/ossec-wui-0.3/lib/os_lib_alerts.php
      • change line 842 from seek($fp, $seek_place, "SEEK_SET"); to seek($fp, $seek_place, SEEK_SET); (remove quotes)
  • change the port for Apache if port 80 is already in use (httpd.conf)
  • Start Apache with apachectl -k start
  • You can now browse to http://xxx.xxx.xxx.xxx:8000/ossec/ (username/password are admin/admin)

Comments

Post a Comment

Popular posts from this blog

The Forecaster Brown Fan Club

I spent the last couple of weeks in October watching what could only be described as the Idiot's Guide to the Wikipedia entry on Hurricane Sandy, otherwise known as the Weather Channel (it was the only live channel I could find online). Half of it involved presenters with an emotional age of 14 trying to get as close to the storm surge as they could, while Dr. Thang in Atlanta helpfully pointed out the eye of the storm every so often. It left me wondering why India had fought so hard for a Cray XMP-24 all those decades ago when all they needed was a helicopter, a doppler, a satellite photo and a half-crazed adolescent with a death-wish. Then I came across this page written by the imaginately named 'Forecaster Brown'. The post, dated ' 1100 AM EDT SAT OCT 27 2012 ' begins " NOAA AND AIR FORCE RESERVE HURRICANE HUNTER AIRCRAFT HAVE BEEN  SAMPLING THE CYCLONE THIS MORNING. "  It turns out the NOAA (National Oceanic and Atmospheric Administ
Read more

How to Create a Pentaho Report Using the REST Client

Image
Prerequisites Pentaho Kettle (see earlier blog post) Pentaho Report Designer You will get an error message in Pentaho Report Designer that says ' java.lang.NoClassDefFoundErr: com/sun/jersey/api/client/ClientConfig ' if you try to run a report against the Kettle job. To fix this error copy the following files from  C:\pentaho\data-integration\libext\jersey\ to C:\pentaho\prd-ce-3.9.1-GA\report-designer\lib\. If you plan to ublish the report to the BI Server, also copy these files to C:\pentaho\biserver-ce\tomcat\webapps\pentaho\WEB-INF\lib\ as well - jersey-apache-client-1.7.jar jersey-client-1.7.jar jersey-core-1.7.jar The Payload My example returns an array of objects [   {       "id":"1",       "name":"item1",       "description":"someDescription1"   },   {       "id":"2",       "name":"item2",       "de
Read more

Automated Testing with vncdotool (Not Headless, but Hairless)

Image
The headless testing problem is a thorny one and impacts the fundamental architecture of the test automation platform I'm working on. If we can't find a solution, we might not be able to use the private cloud nor parallelize our testing effectively. Part of the problem are the tests themselves that still rely on SendKeys() and MouseMove(). Two aspects of remote interaction that are insecure and therefore disallowed by Microsoft from Windows Vista onwards. This means that we have to rely on hacks like the VIX API and the one that I am about to document below. There are two widely-used technologies for remote interactive connectivity on the Windows platform - the Remote Desktop Client (RDC) and VNC. The first is entirely proprietary while the second offers a number of open-source implementations (and some proprietary, full-featured, commercial implementations). The RDC implementation requires access to the VIX API which in turn relies on proprietary, privileged access t
Read more