How to setup Ossec with Ubuntu server at AWS and local windows clients

Support/Development for OSSEC
senrabdet
New Forum User
New Forum User
Posts: 2
Joined: Wed Nov 16, 2022 2:51 pm

How to setup Ossec with Ubuntu server at AWS and local windows clients

Unread post by senrabdet »

Hi All,

Am new to Ossec and this forum. I'm hoping to find a good "how to" link that covers how I am trying to set up my Ossec implementation (I may be missing this particular set up in the documentation and if so, apologize):
- ubuntu server at aws with a static IP
- primarily windows boxes as clients with dynamic IPs that are behind a firewall

So the server is in the cloud at AWS, with "client" machines at different physical locations (where clients have different WAN ips--some static, some not--& dynamic PC LAN ips) behind firewalls.

I think I've got Ossec running on the server and the Ossec agent on a couple of test clients.

In particular,
1) on the server side, in agent setup if I input each client's dynamic LAN IPs of the windows boxes and generate their keys, and then on the windows client side input the key generated from the server and cloud server's static IP, will this work? Is it that simple? And will it be stable? Do I need to forward any ports on the firewall that I've opened up on the ubuntu server (514)?

One concern here is am I on the wrong track with the client LAN IPs, and if not, the client's LAN ip's will change over time, am concerned that even if things work initially, client dynamic IPs will be a problem and it's probably impractical to assign all of the clients static LAN ip's.

2) I'm looking for examples of "bad"...i.e., examples of messages Ossec would generate if a machine has been comprised (I don't think ours have yet but what would I look for in my email messages)...my understanding is in the config I can choose levels of what types of messages I might get, and that I may not get any if everything is OK, but would still examples of what a messages for a compromised machine might look like.

THX
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 61
Joined: Fri Oct 09, 2020 9:41 am

Re: How to setup Ossec with Ubuntu server at AWS and local windows clients

Unread post by cponton »

For your first question, it is best not to tie an IP to an agent key and OSSEC will not default to that option. The server is never going to see the LAN IP at all and some of yours are dynamic.

For your second question, most of the ossec rules with regards to breeches will be labeled as a level 7 rule or higher. You can see a list of rules classifications here: https://www.ossec.net/docs/docs/manual/ ... ules-group

You can see a comprehensive list of the rules in /var/ossec/ruleset
Post Reply