How to setup Ossec with Ubuntu server at AWS and local windows clients
Posted: Wed Nov 16, 2022 5:08 pm
Hi All,
Am new to Ossec and this forum. I'm hoping to find a good "how to" link that covers how I am trying to set up my Ossec implementation (I may be missing this particular set up in the documentation and if so, apologize):
- ubuntu server at aws with a static IP
- primarily windows boxes as clients with dynamic IPs that are behind a firewall
So the server is in the cloud at AWS, with "client" machines at different physical locations (where clients have different WAN ips--some static, some not--& dynamic PC LAN ips) behind firewalls.
I think I've got Ossec running on the server and the Ossec agent on a couple of test clients.
In particular,
1) on the server side, in agent setup if I input each client's dynamic LAN IPs of the windows boxes and generate their keys, and then on the windows client side input the key generated from the server and cloud server's static IP, will this work? Is it that simple? And will it be stable? Do I need to forward any ports on the firewall that I've opened up on the ubuntu server (514)?
One concern here is am I on the wrong track with the client LAN IPs, and if not, the client's LAN ip's will change over time, am concerned that even if things work initially, client dynamic IPs will be a problem and it's probably impractical to assign all of the clients static LAN ip's.
2) I'm looking for examples of "bad"...i.e., examples of messages Ossec would generate if a machine has been comprised (I don't think ours have yet but what would I look for in my email messages)...my understanding is in the config I can choose levels of what types of messages I might get, and that I may not get any if everything is OK, but would still examples of what a messages for a compromised machine might look like.
THX
Am new to Ossec and this forum. I'm hoping to find a good "how to" link that covers how I am trying to set up my Ossec implementation (I may be missing this particular set up in the documentation and if so, apologize):
- ubuntu server at aws with a static IP
- primarily windows boxes as clients with dynamic IPs that are behind a firewall
So the server is in the cloud at AWS, with "client" machines at different physical locations (where clients have different WAN ips--some static, some not--& dynamic PC LAN ips) behind firewalls.
I think I've got Ossec running on the server and the Ossec agent on a couple of test clients.
In particular,
1) on the server side, in agent setup if I input each client's dynamic LAN IPs of the windows boxes and generate their keys, and then on the windows client side input the key generated from the server and cloud server's static IP, will this work? Is it that simple? And will it be stable? Do I need to forward any ports on the firewall that I've opened up on the ubuntu server (514)?
One concern here is am I on the wrong track with the client LAN IPs, and if not, the client's LAN ip's will change over time, am concerned that even if things work initially, client dynamic IPs will be a problem and it's probably impractical to assign all of the clients static LAN ip's.
2) I'm looking for examples of "bad"...i.e., examples of messages Ossec would generate if a machine has been comprised (I don't think ours have yet but what would I look for in my email messages)...my understanding is in the config I can choose levels of what types of messages I might get, and that I may not get any if everything is OK, but would still examples of what a messages for a compromised machine might look like.
THX