I couldn’t find proper instructions on doing this anywhere so here are mine:
In your OSSIM portal go to Environment -> Assets & Groups -> Add Assets and enter the name/IP of the asset you want to add.
On the agent run:
yum -y install libevent-devel pcre2-devel openssl-devel
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0/
./install.sh
…select the defaults and type in agent when prompted.
Back in OSSIM go to Environment -> Detection -> Agents -> Add Agent
Find the new asset in the dropdown and click ADD. Next to the new agent there is a picture of a key, click that and copy the long key it shows you.
On the agent run:
/var/ossec/bin/manage_agents
Choose I to import a key, then paste the key then Q to quit.
Check the file /var/ossec/etc/ossec.conf to make sure it’s monitoring the necessary logs. Then to start the agent run:
/var/ossec/bin/ossec-control start
It can take 10-15 minutes for OSSIM to show the agent as active.
Perfect. Thank you!
Pingback: Install/Update OSSIM/OSSEC agent (AlmaLinux 8.6 or CentOS)