Source

Today I will show you guys how to install OSSEC HIDs Server on Ubuntu 20.04, and install OSSEC Agent on Window machines
I used these source below

• https://www.ossec.net/about/
• https://hendgrow.com/2020/10/01/ossec-open-source-hids-with-web-user-interface-updated-for-ubuntu-20-04-ossec-3-6-0/
• https://perezbox.com/2012/10/ossec-agent-to-server-connection-issues/

Requirement

• OS for OSSEC Server: Ubuntu 20.04
• OS for Agent: Window Server 2019
  To know more about agent please view this: https://www.ossec.net/download-ossec/

Prerequisites

• Update dependencies

sudo apt update && sudo apt upgrade

• Install some base applications

sudo apt install -y php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools apache2 build-essential gcc make wget tar zlib1g-dev libpcre2-dev libpcre3-dev unzip libz-dev libssl-dev libpcre2-dev libevent-dev build-essential

• Enable rewrite, Apache & Start Apache

sudo systemctl enable apache2

sudo systemctl start apache2

sudo a2enmod rewrite

sudo a2enmod rewrite

sudo systemctl restart apache2

OSSEC Install

OSSEC Server Install

• Download package from github

wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

sudo tar -xvzf 3.6.0.tar.gz

• Install OSSEC Server
  *

sudo ossec-hids-3.6.0/install.sh

• Following these configuretion
  • Language: en
  • What kind of installation do you want : hybrid
    
  • Choose where to install the OSSEC HIDS : <press enter>
  • 
  • Do you want e-mail notification: n
  • 
  • Do you want to run the intergrity check daemon: y
  • 
  • Do you want to run the rootkit detection engine: y
  • 
  • Do you want to enable active response: y
  • 
  • Do you want to enable the firewall-drop response: y
  • 
  • Do you want to add more IPs to the white list: n
  • 
  • Do you wan to enable remote syslog (port 514 udp): y
  • 
  • Press Enter to start install
  • 
  • What’s the IP Address or hostname of the OSSEC HIDS server? : <the ip of your server>
  • 

Installing the Web User Interface

cd /tmp/

sudo git clone https://github.com/ossec/ossec-wui.git

sudo mv /tmp/ossec-wui /var/www/html

cd /var/www/html/ossec-wui

sudo ./setup.sh

• Enter following configuration
  • 
  • Username : <username to of web interface>
  • Password : <password to of web interface>
  • Enter your web server user name : www-data
• Set the permissions

sudo chown -R www-data:www-data /var/www/html/ossec-wui/

sudo chmod -R 755 /var/www/html/ossec-wui/

• Restart Apache

sudo systemctl restart apache2

• Go to OSSEC web interface by the url : http://<ip of server>/ossec-wui
• 

Adding an OSSEC Agent

Configure on OSSEC Server

• Open port 1514 on firewall

sudo ufw allow 1514

• Adding agent to the server

sudo /var/ossec/bin/manage_agents

• Follow the following configuration
  
  • Choose your action: A
  • A name for new agent: <Name of the agent>
  • The IP Address of the new agent: <IP of the agent machine>
  • An ID for new agent: <ID of the agent>
  • Confirm adding it: y
  • Extract the key from OSSEC server:
    • 
    • Choose your action: E
    • Provide the ID of the agent to extract the key: <ID of the agent>
  • Copy the key to the agent machine

Configure on Agent Machine

• Download OSSEC agent installer through this link: https://www.ossec.net/download-ossec/
• Install the agent as Administrator
• Run OSSEC Agent Manager
• 
• Fill our the info
  • OSSEC Server IP: <IP of the OSSEC Server>
  • Authentication Key: <The key we extract above>
  • Click Save
  • 
  • Click Manage -> Start OSSEC
  • 

Testing OSSEC Service

• Go the OSSEC web interface, you will see log of new agent
• 

Fixing error

Can't see new agent after connect

• Check the server firewall if it allow the correct port
• Restart the OSSEC control on server by running

sudo /var/ossec/bin/ossec-control restart

• Restart the OSSEC agent by, Manage -> Restart
•