As I wrote in my previous post about getting ossec logs on ELK stack, I included part to install ossec server. As to install OSSEC agent there is an same procedure that we performed during OSSEC server. To be honest I am feeling lazy to write it all again to here is a link for previous post – Link.
But this post will be interesting as we will sync both agent and server automatically without manually inputting agent information on to the server. To make it easy here is a script for installation of ossec server or agent – Link.
These are two parts of auto-sync, server-side key, and certificate part and agent side sync part.
NOTE: Here in my case I have used centos as both server and agent. So it’s tested with Centos.
Let’s get started.
Let’s cover the server part first. This time I am posting script first and will explain parts of later.
echo "Install OpenSSL developer package"
echo
echo
yum -y install openssl-devel
echo
echo
echo "Generating RSA key"
echo
openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
echo
echo
echo "Generating Certificate"
echo
openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
echo
echo
echo "OSSEC service restart"
echo
sudo /var/ossec/bin/ossec-control restart
echo
echo
echo "Enable key sync on port 1515"
echo
sudo /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
echo
echoFirst, it will install the OpenSSL developer package. Then generate the RSA key, generate the certificate. And restart the service. Now that all on the server-side, let’s start with agent side sync.
echo "Install OpenSSL developer package"
echo
echo
yum -y install openssl-devel
echo
echo
echo "Syncing key with the server"
echo
sudo /var/ossec/bin/agent-auth -m 192.168.140.130 -p 1515
echo
echo
echo "Ossec service restart"
echo
sudo /var/ossec/bin/ossec-control restart
echo
echo
sudo systemctl enable ossec
sudo systemctl restart ossecHere again, we will install the OpenSSL developer package. On the agent side, we are using the agent-auth module found in the ossec installation directory. Restart ossec service and we are good to go. To verify there will be the program called “list-agent” in the ossec installation directory.
For more help: x786@protonmail.ch
Wow, wonderful blog layout! How long have you been blogging for?
you made blogging look easy. The overall look of your web site is great, as
well as the content!
I have been blogging since my first post (September 2019). Never written a blog before that.
Thank you for sharing your info. I really appreciate your efforts and I am waiting for your next write ups
thanks once again.
Hi, Thanks for your guide.
One question about client name.
When client done its auth, server will record client name.
Usually client record is name+ip.
But when use manage_agents check client list, the record list like below:
ID: 1026, Name: clientname, IP: any
My question is, how provide ip address when client authenticate use agent-auth.
thans
If you look at the client-side script we are using the server IP address for authentication. And it will share the client’s current IP with the server.
Thanks for you reply,
You are right, server can recognize client’s ip address, it just can’t show ip address in agent-management.
1. serverside : ossec-authd -p 1515
2. clientside: agent-auth -m 192.168.188.136 -p 1515
3. log like below:
2020/11/11 19:25:26 ossec-authd: INFO: Started (pid: 5558).
2020/11/11 19:25:56 ossec-authd: INFO: New connection from 192.168.188.134
2020/11/11 19:25:56 ossec-authd: INFO: Received request for a new agent (centostest) from: 192.168.188.134
2020/11/11 19:25:56 ossec-authd: INFO: Agent key generated for centostest (requested by 192.168.188.134)
2020/11/11 19:25:56 ossec-authd: INFO: Agent key created for centostest (requested by 192.168.188.134)
4. use manage_agents you will find :
ID: 1028, Name: centostest, IP: any
========================
Wazuh 4.0
https://documentation.wazuh.com/4.0/user-manual/reference/tools/agent-auth.html
-i and -L,may it can work.
True. Thank you.