ossec installation

官方手册:http://ossec-docs.readthedocs.org/en/latest/


1.server and  agent :     

# yum install mysql-devel postgresql-devel

# wget -q -O - http://www.atomicorp.com/installers/atomic | sh


2.server:

# yum install ossec-hids ossec-hids-server 

# /var/ossec/bin/manage_agents

     修改iptables,打开UDP 1514 端口

add  a agent:

wKioL1ReB9-zFv2YAAHSe-zL7kA977.jpg

根据提示输入主机名与IP,ID默认即可. ---第一次添加代理需要重启:

                     /var/ossec/bin/ossec-controlrestart.   


代理的版本提供了导入密钥的接口,执行以下为代理生成密钥:

wKiom1ReCZeR4htSAAHSGuyobec058.jpg


3.agent:

    # yum install ossec-hids-client -y

    # /var/ossec/bin/manage_client

wKioL1ReDZOzui6_AAFc4jSdcoY347.jpg


输入从server端生成的key,重启agent:/var/ossec/bin/ossec-control restart

   查看日志:tail  -f /var/ossec/logs/ossec.log


也可以自动添加key,

server:

打开iptables 1515 端口

#openssl genrsa -out /var/ossec/etc/sslmanager.key 2048

#openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

#/var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &



查看活动agents:

#/var/ossec/bin/agent_control -lc

agent:

#

/var/ossec/bin/agent-auth -m 192.168.1.12 -p 1515


5.web界面安装:

#yum -y  install ossec-wui.noarch

#service httpd start


登陆web界面 :http://IP/ossec    用户名与密码:ossec

 web界面时区设置 :#vi  /etc/httpd/conf.d/ossec.conf

              添加:php_value date.timezone Asia/Shanghai



删除无效的agents:

    1>/var/ossec/bin/manage_agents  -->  r -- 选择要删除的ID

    2>删除以下目录相应的信息;

      /var/ossec/queue/rootcheck/

      /var/ossec/queue/agent-info/

      /var/ossec/queue/diff/


chkconfig  --list  ossec-hids   --默认是自动启动的



-----------------


1,/var/ossec/etc/client.keys   确保和本地IP一致