search

Phabbits / CNIT470

0 stars 0 forks source link

HIDS clients won't connect #4

Closed Phabbits closed 2 years ago

Phabbits commented 3 years ago

Running sudo /var/ossec/bin/manage_agents, and listing agents, we see all agents are added:

Available agents: 
   ID: 001, Name: Centos7_F21, IP: 10.51.20.10
   ID: 004, Name: Win2008_F21, IP: 10.51.20.40
   ID: 007, Name: Win10, IP: 10.51.20.70
   ID: 005, Name: Win2019, IP: 10.51.20.50
   ID: 002, Name: Debian9_F21, IP: 10.51.20.20
   ID: 003, Name: Ubuntu_F21, IP: 10.51.20.30

To check if an agent is connected, we run sudo /var/ossec/bin/agent_control -i 004 which reports:

OSSEC HIDS agent_control. Agent information:
   Agent ID:   004
   Agent Name: Win2008_F21
   IP address: 10.51.20.40/32
   Status:     Never connected

   Operating system:    Unknown
   Client version:      Unknown
   Last keep alive:     Unknown

   Syscheck last started  at: Unknown
   Rootcheck last started at: Unknown

The key is added on Win2008, and the agent is running.

Phabbits commented 2 years ago

Need to restart the server and client after adding keys in order for them to connect.

/var/ossec/bin/ossec-control restart

Sources: https://www.looklinux.com/how-to-install-configure-ossec-client-agent-mode-on-linux/ https://defragged.org/ossec/how-to-install-ossec/