I installed OSSIM server on a VM and have tried to link a OSSEC agent to it. I have been able to link and install a HIDS on the client and have it communicate ok to the OSSIM server.
However, in the ENVIRONMENT -> DETECTION section, I cannot get the Agent to appear as Active. I tried it with a Ubuntu and a CentOS client but I have the same issue with both.
Any advice on how to get the Agent status to Active.
Reference: https://www.youtube.com/watch?v=JVmvgLS81wk
thats pretty less information. you try to get an agent running on a windows or linux machine?
if you installed the ossim server correctly you must install the ossec hids on the agent os and configure it to act as agent. follow these steps if you dont already done so to setup the agent on a linux host.
sudo ./install.sh
1- What kind of installation do you want (server, agent, local, hybrid or help)? write agent
then later on this question: What's the IP Address or hostname of the OSSEC HIDS server? type your ip from the ossec server
the other questions should be good if you just choose default answers.
when finish run sudo /var/ossec/bin/manage_agents
on the ossec / ossim server
then add an agent the menu should look something like this:
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
add an agent and then extract the key for this agent
keep this key for later use
finally go back to the agent and run the same tool
sudo /var/ossec/bin/manage_agents
choose (I)mport key from the server (I).
paste the key you got from the ossim server and confirm.
finally restart the ossim server (i think its /etc/init.d/ossim-server restart) and the ossec agent (i think its /etc/init.d/ossec restart) that should be the goal.
