Search code examples
ossec

OSSEC windows agent configuration

I am getting started with OSSEC and i want to configure windows agent. I have followed the documentation and this. My server is a VM ubuntu and I want to have an Windows Agent.

This is the output of active agents.

vm:/var/ossec/etc# /var/ossec/bin/list_agents -c ** No agent available.

vm:~/ossec-hids-3.2.0# tcpdump -i ens3 src 192.168.8.69

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

13:44:30.979244 IP 192.168.8.69.55341 > 10.0.0.4.ssh: Flags [.], ack >1445060350, win 16319, length 0

This is list of already added agents.

Available agents: ID: 003, Name: WindowsAgent, IP: 192.168.8.69

And here is my windows agent manager.

enter image description here

On the server side I have droped the firewall.

Maybe should I drop the firewall also on the client side? Also I am not so sure about server side IP address - but thats the output form ifconfig.

Solution

  • I made a mistake assuming that ifconfig ip is the one I should be connecting. My server is on the VM, which I connect via SSH to given IP and this IP is the OSSEC server IP.

    Here is the command to check whether the port 1514 is used.

    tcpdump -i ens3 -nn host 192.168.8.69 and port 1514

    It shows whether you are using a specific port.

    Also, I advise checking ossec.log in ossec-agent folder.