1.-Accepting remote commandsFirst step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.
Once we have save this change, we just need to restart the agent for it to be applied.
# Logcollector - If it should accept remote commands from the manager logcollector.remote_commands=1
2.- Specifying the command to list running processesThis is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.
The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps".
<agent_config os="windows"> <localfile> <log_format>full_command</log_format> <command>tasklist</command> <frequency>60</frequency> </localfile> </agent_config>
On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.
3.- Creating local rulesIn this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.
The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.
<rule id="100050" level="7"> <if_sid>530</if_sid> <match>^ossec: output: 'tasklist'</match> <description>Critical process not found.</description> <group>process_monitor,</group> </rule> <rule id="100051" level="0"> <if_sid>100050</if_sid> <match>wordpad.exe</match> <description>Processes running as expected</description> <group>process_monitor,</group> </rule>
Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.
4.- Testing our configurationIn order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).
And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file.
2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist': Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 4 K System 4 Services 0 284 K smss.exe 328 Services 0 1,060 K csrss.exe 484 Services 0 3,584 K ... ... ... notepad.exe 1596 RDP-Tcp#37 2 14,500 K win32ui.exe 828 RDP-Tcp#37 2 6,088 K ossec-agent.exe 3060 Services 0 5,576 K notepad.exe 2276 RDP-Tcp#37 2 12,076 K wordpad.exe 368 RDP-Tcp#37 2 27,780 K cmd.exe 780 Services 0 2,692 K conhost.exe 1304 Services 0 3,044 K tasklist.exe 1692 Services 0 5,668 K
Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.
** Alert 1438997816.32112781: mail - local,syslog,process_monitor, 2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist Rule: 100050 (level 7) -> 'Critical process not found.' ossec: output: 'tasklist': Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 4 K System 4 Services 0 284 K smss.exe 328 Services 0 1,060 K csrss.exe 484 Services 0 3,584 K ... ...
And that is all. I hope you enjoyed the tutorial and found it useful.