2

I installed OSSIM server on a VM and have tried to link a OSSEC agent to it. I have been able to link and install a HIDS on the client and have it communicate ok to the OSSIM server.

However, in the ENVIRONMENT -> DETECTION section, I cannot get the Agent to appear as Active. I tried it with a Ubuntu and a CentOS client but I have the same issue with both.

Any advice on how to get the Agent status to Active.

Reference: https://www.youtube.com/watch?v=JVmvgLS81wk

user92592
  • 125
  • 5

1 Answers1

0

thats pretty less information. you try to get an agent running on a windows or linux machine?

if you installed the ossim server correctly you must install the ossec hids on the agent os and configure it to act as agent. follow these steps if you dont already done so to setup the agent on a linux host.

sudo ./install.sh

1- What kind of installation do you want (server, agent, local, hybrid or help)? write agent

then later on this question: What's the IP Address or hostname of the OSSEC HIDS server? type your ip from the ossec server

the other questions should be good if you just choose default answers.

when finish run sudo /var/ossec/bin/manage_agents

on the ossec / ossim server

then add an agent the menu should look something like this:

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: a

add an agent and then extract the key for this agent

keep this key for later use

finally go back to the agent and run the same tool

sudo /var/ossec/bin/manage_agents

choose (I)mport key from the server (I).

paste the key you got from the ossim server and confirm.

finally restart the ossim server (i think its /etc/init.d/ossim-server restart) and the ossec agent (i think its /etc/init.d/ossec restart) that should be the goal.