Install OSSIM/OSSEC agent (CentOS 7)

I couldn’t find proper instructions on doing this anywhere so here are mine:

In your OSSIM portal go to Environment -> Assets & Groups -> Add Assets and enter the name/IP of the asset you want to add.

On the agent run:

yum -y install libevent-devel pcre2-devel openssl-devel
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0/
./install.sh

…select the defaults and type in agent when prompted.

Back in OSSIM go to Environment -> Detection -> Agents -> Add Agent

Find the new asset in the dropdown and click ADD. Next to the new agent there is a picture of a key, click that and copy the long key it shows you.

On the agent run:

/var/ossec/bin/manage_agents

Choose I to import a key, then paste the key then Q to quit.

Check the file /var/ossec/etc/ossec.conf to make sure it’s monitoring the necessary logs. Then to start the agent run:

/var/ossec/bin/ossec-control start

It can take 10-15 minutes for OSSIM to show the agent as active.

Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *