1.-Accepting remote commands
First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1
Once we have save this change, we just need to restart the agent for it to be applied.2.- Specifying the command to list running processes
This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.<agent_config os="windows">
<localfile>
<log_format>full_command</log_format>
<command>tasklist</command>
<frequency>60</frequency>
</localfile>
</agent_config>
The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps". On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.
3.- Creating local rules
In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.<rule id="100050" level="7">
<if_sid>530</if_sid>
<match>^ossec: output: 'tasklist'</match>
<description>Critical process not found.</description>
<group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
<if_sid>100050</if_sid>
<match>wordpad.exe</match>
<description>Processes running as expected</description>
<group>process_monitor,</group>
</rule>
The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.
4.- Testing our configuration
In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 284 K
smss.exe 328 Services 0 1,060 K
csrss.exe 484 Services 0 3,584 K
...
...
...
notepad.exe 1596 RDP-Tcp#37 2 14,500 K
win32ui.exe 828 RDP-Tcp#37 2 6,088 K
ossec-agent.exe 3060 Services 0 5,576 K
notepad.exe 2276 RDP-Tcp#37 2 12,076 K
wordpad.exe 368 RDP-Tcp#37 2 27,780 K
cmd.exe 780 Services 0 2,692 K
conhost.exe 1304 Services 0 3,044 K
tasklist.exe 1692 Services 0 5,668 K
And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file.
** Alert 1438997816.32112781: mail - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 4 K
System 4 Services 0 284 K
smss.exe 328 Services 0 1,060 K
csrss.exe 484 Services 0 3,584 K
...
...
Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.And that is all. I hope you enjoyed the tutorial and found it useful.