Problem solve Get help with specific problems with your technologies, process and projects.

OSSEC: The server and agent model

Get the benefit of regular alerts and status reports from configuring open source IDS/IPS OSSEC to run as a server and agent model.

OSSEC is an open source host-based IDS/IPS that has two major modes of operation. In my last tip, I discussed how...

to install a stand-alone instance of OSSEC to run on a single machine. In this tip, I will look at OSSEC's other mode of operation -- a server and agent model.

In this mode, a central OSSEC server manages a series of remote OSSEC agents. The agents generate alerts and regular status reports, and these are forwarded to the central server and notifications generated.

More security tips:
Host intrusion detection with OSSEC

Avoiding security blunders in Linux and IT infrastructures

These agents are connected to the server via an encrypted and secured connection that runs on UDP port 1514. The server and agents are encrypted (and authenticated) using a symmetric key that is defined on the server and then exported and copied to the agent. When started, the agents connect and register to the server and send back alerts and log data.

To get started, we need to install a central OSSEC server. This is done using the server-type installation of OSSEC. Follow the steps specified in the first part of this tip using the script.

In step 1 of the installation process, select the server installation method as you can see on the following lines:

1- What kind of installation do you want (server, agent, local or help)? server

 - Server installation chosen.

The remaining portion of the installation process follows the pattern shown in part one of the tip. The server is installed by default into the /var/ossec directory and you will be prompted to configure alerting and the components of OSSEC that will be installed and activated.

With the server installation, there is also an additional option to allow OSSEC to listen on UDP port 514 as a remote syslog daemon and receive incoming syslog entries.

After the installation of the server is complete you can start it, like so:

# /var/ossec/bin/ossec-control start

The server adds and manages agents using the manage_agents command, located in the /var/ossec/bin directory.

# ./manage_agents 

* OSSEC HIDS v0.9-1 Agent manager.       *
* The following options are available:         *
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
Choose your action: A,E,L,R or Q: 

Five options are available in the manage_agents menu. The first option, A, adds an agent. You need to specify a name for the agent (usually the hostname), the IP address of the host and an ID for the agent. The ID is auto-incremented starting from 001 but can be overridden if required.

You can see the dialog for adding an agent below:

- Adding a new agent (use '\\q' to return to the main menu).
 Please provide the following:
  * A name for the new agent: puppy
  * The IP Address of the new agent:
  * An ID for the new agent[001]: 
Agent information:
  IP Address:

Confirm adding it?(y/n): y
Agent added.

Once you've added an agent to the server, you need to use the E option to export the agent key. You will be prompted to select the ID of the agent whose key you wish to export. The key will be displayed and you can copy it. You can see the key exportation process below:

* OSSEC HIDS v0.9-1 Agent manager.    *
* The following options are available: *
  (A)dd an agent (A).
  (E)xtract key for an agent (E).
  (L)ist already added agents (L).
  (R)emove an agent (R).
Choose your action: A,E,L,R or Q: E

Available agents: 
  ID: 001, Name: puppy, IP:
Provide the ID of the agent to extract the key (or '\\q' to quit): 001

Agent key information for '001' is: 

Now that you have the agent's key, you can install OSSEC in agent mode on the remote host. Run the installation script and select the agent option in Step 1.

After the installation is completed, you need to start OSSEC and run the manage_agents command on the remote host to add the key to the agent. Using this command, select option I to import the key; when prompted, paste in the key and confirm the addition of the agent. You can see this process here:

* OSSEC HIDS v0.9-2 Agent manager.    *
* The following options are available: *
  (I)mport key from the server (I).
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\\q' to quit): MDAxIHB1cHB5IDEwLjAuMC4zMSBmYjc2NDY2NmRhNjAyOTA4Y2EwYjQ2NGU4YTE1YTA3NzIyNGM0MzcwZWVkYzkwYTMzOWE2YzM0NTA5ZmJlNjlj

Agent information:
  IP Address:

Confirm adding it?(y/n): y

Once you have added the key to the agent, the connection to the server can be initiated. You need to ensure that any firewall on the agent or between the agent and server allows a connection on UDP port 1514 between the agent and the server. The server will only allow connections on this port from the IP addresses of agents you have added.

You can confirm that the connection has succeeded by reviewing the contents of the /var/ossec/logs/ossec.log log files on the agent and server respectively. Further troubleshooting can be achieved using a command like tcpdump to monitor the traffic flow.

At this stage, the OSSEC server/agent model is relatively simple and consists of reporting and alerting from the agents to the server. Configuration management is still maintained on the local agents and not centrally on the server as is true of many other distributed HIDS/HIPS models.

If you have large numbers of agents I recommend looking at a tool like cfengine or Puppet to centrally manage your agent configuration and rules. These sorts of tools should also aid you in installing and distributing new agents across an enterprise.

This was last published in October 2006

Dig Deeper on Linux servers



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.