Sunday, September 16, 2012

OSSIM hands-on 5: Installing OSSEC agent in a Windows server

Welcome to another OSSIM hands-on practical exercise. In this case we are going to collect Windows events using OSSEC HIDS agent.

1.- Download OSSEC agent into the windows system:

a) Open a browser and connect to the IP of OSSIM server (10.0.0.30)
b) Go to Configuration -> Collection -> Downloads
c) Download OSSEC agent for Windows

2.- Run the downloaded executable and install the agent following the wizard

a) For the server use the OSSIM server IP address

3.- Create a new OSSEC key for the agent

a) At GUI go to Analysis -> Detection -> HIDS
b) Go to agents (top right corner)
c) Add a new agent
d) Copy the key and use it at the agent

4.- Restart agent at the Windows server

 a) A new Windows service can be found named ossim-agent
 b) Restart the service

5.- Check that the agent is working

a) Logout and Login in the Windows system
b) See in the GUI that the events have been collected and processed


6.- Troubleshooting 

a) Check ossec agent logs at C:\Program Files (x86)\ossec-agent\ossec.log
b) Check ossec configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf

19 comments:

  1. Hi Santi,
    we need the OSSEC Agent for Windows 64 bit (Windows Server 2008 R2).
    Where can we get these or how can we compile this yourself?
    Thanks in advance.
    Many greetings

    Michael

    ReplyDelete
    Replies
    1. Hi Michael,

      sorry for my late answer. In our current OSSIM version you should be able to use the automatic deployment option in the interface.

      This option will use netbios to copy the agent and winexe to run the installation remotely (careful because it doesn't work on Windows 2012 or Windows 8).

      On the other hand, if you compile it yourself it should work as well (with the proper server and key configuration).

      Delete
  2. Hi Santi.
    I have problem with windows agent 2.8.1.
    I see modified files and system events but I dont see changing in windows registry.
    I am using default config and testing in "winlogon".

    Can you help me???

    Thanks in advance.
    Many greetings, Sergio.

    ReplyDelete
    Replies
    1. Hi Sergio,

      we have not integrated agent 2.8.1 in OSSIM yet. This will probably be ready in the next month. In any case it looks like most of it is working for you. If you need further help send me an email with more details.

      Best

      Delete
  3. hello!
    ossec 2.7.1 can not read security logs from windows 2012 R2 - in ossec-logs it is ok, but no events sent to server

    ReplyDelete