As I wrote in my previous post about getting ossec logs on ELK stack, I included part to install ossec server. As to install OSSEC agent there is an same procedure that we performed during OSSEC server. To be honest I am feeling lazy to write it all again to here is a link for previous post – Link.
But this post will be interesting as we will sync both agent and server automatically without manually inputting agent information on to the server. To make it easy here is a script for installation of ossec server or agent – Link.
These are two parts of auto-sync, server-side key, and certificate part and agent side sync part.
NOTE: Here in my case I have used centos as both server and agent. So it’s tested with Centos.
Let’s get started.
Let’s cover the server part first. This time I am posting script first and will explain parts of later.
echo "Install OpenSSL developer package" echo echo yum -y install openssl-devel echo echo echo "Generating RSA key" echo openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 echo echo echo "Generating Certificate" echo openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365 echo echo echo "OSSEC service restart" echo sudo /var/ossec/bin/ossec-control restart echo echo echo "Enable key sync on port 1515" echo sudo /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & echo echo
First, it will install the OpenSSL developer package. Then generate the RSA key, generate the certificate. And restart the service. Now that all on the server-side, let’s start with agent side sync.
echo "Install OpenSSL developer package" echo echo yum -y install openssl-devel echo echo echo "Syncing key with the server" echo sudo /var/ossec/bin/agent-auth -m 192.168.140.130 -p 1515 echo echo echo "Ossec service restart" echo sudo /var/ossec/bin/ossec-control restart echo echo sudo systemctl enable ossec sudo systemctl restart ossec
Here again, we will install the OpenSSL developer package. On the agent side, we are using the agent-auth module found in the ossec installation directory. Restart ossec service and we are good to go. To verify there will be the program called “list-agent” in the ossec installation directory.
For more help: firstname.lastname@example.org