In this article we are already assume that you have basic skill of Ansible automation tools knowledge and also OSSEC knowledge.

This article will bring you along to make ansible automate ossec agent installation with Playbooks.

On the Ansible Server we will need to create below folder to store all the playbooks and variable.

Ansible Server

cd /etc/ansible/roles/
sudo mkdir ossec-client

Alright, we have now created the main folder of this article, we will move on step by step.

We will now create a yaml playbook that recognise by ansible :

sudo touch main.yaml
sudo vi main.yaml

After vi we have to put the below content being a starter of the ansible playbooks.

---
- hosts: ossecclient2
become: yes
tasks:
- name: Installs Developement Tools
apt: pkg=build-essential state=installed
- name: Install Python
apt: pkg=python state=installed

Then save the first and we will continue the other part with explanation.

So on the top we added the hosts to be configure become ossec agent, hostname are ossecclient2, it would be different with yours.

you have to specific your own hostname in /etc/ansible/hosts like below:

sudo vi /etc/ansible/hosts

With this setting only your ansible playbooks will know who are the ossecclient2 and the ssh specific port number.

ossecclient2 ansible_ssh_host=192.168.0.2 # ansible_port=22

Save and quit the file.

Before we heading back to main.yaml, we have to create another yaml for store our variable name it vars.yaml

sudo vi vars.yaml

and set yours variable accordingly.

---
become: yes
ossec_url: https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
ossec_path: /opt/ossec-hids-2.8.3.tar.gz
ossec_path2: /opt/ossec-hids-2.8.3
ossec_manage_agent_input: /opt/ossec_manage_agent_input.txt
extract_path: /opt
ossec_server_ip: 192.168.0.3 #ossec server ip address
j2_path: /etc/ansible/roles/ossec-client/templates/ossec_client_input.j2
client_key_path: /etc/ansible/roles/ossec-client/templates/client2.keys
remote_client_key_path: /var/ossec/etc/client2.keys

Save and quit vars.yaml, please changes the ossec_server_ip to your own ossec server ip address.

We will back to the main.yaml.

vi main.yaml

add the following to the playbooks.

- include_vars: /etc/ansible/roles/ossec-client/vars.yaml
- name: Download OssecClient
get_url: url="{{ossec_url}}" dest="{{ossec_path}}"
- name: Extract Ossec server code
unarchive: copy=no src="{{ossec_path}}" dest="{{extract_path}}"
- name: Copy the Ossec_input file
template: src="{{j2_path}}" dest="{{ossec_path2}}/ossec_client_input.txt"
- name: Install Ossec-agent
shell: sudo bash /opt/ossec-hids-2.8.3/install.sh < /opt/ossec-hids-2.8.3/ossec_client_input.txt 
- name: Copy Client key to remote agent 
copy: src="{{client_key_path}}" dest="{{remote_client_key_path}}" owner=root group=ossec mode=0440 
- name: Copy Shorewall Rules to remote agent 
copy: src="{{rules_path}}" dest="{{remote_rules_path}}" owner=root group=root mode=0744 
- name: Extract only the key for current client 
shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys
- name: changes permission of client key
shell: chown root.ossec /var/ossec/etc/client.keys && chmod 440 /var/ossec/etc/client.keys
- name: Delete other client keys
file: name="{{remote_client_key_path}}" state=absent
- name: Delete ossec_client_input.txt
file: name="{{ossec_path2}}/ossec_client_input.txt" state=absent
- name: Start Ossec Client
shell: sudo bash /var/ossec/bin/ossec-control restart

Save and quit the file.

Now we have to create another folder and name it templates for storing all the templates file for ossec-client.

sudo mkdir /etc/ansible/roles/ossec-client/templates/

and create a j2 file to automate the Q&A section when installing the ossec agent:

sudo vi /etc/ansible/roles/ossec-client/templates/ossec_client_input.j2

and put the below content into the .j2 file without modifying anything.

en

agent
/var/ossec
{{ ossec_server_ip }}
y
y
y

Save and quit the file.

and we will create another file for store the client_key for the client and server communication.

create a file name it client2_keys

sudo touch client2_keys

Save and quit the file.

OK, until this step we have already done all the step in the templates folder.

cd /etc/ansible/roles/ossec-client

We have to create one bash shell to edit all the file we have to edit everytime we configure a new ossec client before we run the playbooks.

sudo vi file2edit

Copy and paste below content to file2edit bash shell file

#!/bin/bash
file=main.yaml
vi $file
vim /etc/ansible/roles/ossec-client/templates/client2.keys

Save and quit and make it executable with below command:

sudo chmod 755 file2edit

So everytime before you run the main.yaml you have to run the file2edit with below command make sure you have edit the hosts to the right hosts, and put in the correct key for the ossec_client.

once you run the file2edit with below command:

sudo bash file2edit

you will be editing the main.yaml hosts, changes to the servername that you want to configure the ossec client.

and save it and quit, and you will jump to another file client2_keys.

in here please open up another terminal and connect to the ossec server.

OSSEC SERVER

Run below command on the Ossec server

cd /var/ossec/bin
sudo ./manage_agent

you will see something like below:
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A

– Adding a new agent (use ‘q’ to return to the main menu).
Please provide the following:
* A name for the new agent:ossecclient2

* The IP Address of the new agent: 192.168.0.2
* An ID for the new agent[1]:
Agent information:
ID:1
Name:ossecclient2
IP Address:192.168.0.2

Confirm adding it?(y/n): y
Agent added.

That already done adding the client information on the server, next step we will get the raw key data.

cd /var/ossec/etc/
tail -n1 client_keys
1 ossecclietn2 192.168.0.2 ca2d6ade89547822d22329d67f87ac1d5c8b3d48e100a746cdaf101ba81010d1

copy the key and quit the file.

and restart ossec server with below command:

service ossec restart

ANSIBLE SERVER

Go back to the to your Ansible server and paste this key to the client2_keys and save it.

OK, we have done all the thing on OSSEC server and had input information in Ansible server.

Now we use below command to run ansible playbooks on ansible server.

ansible-playbook main.yaml

and you will see the result like below:

PLAY [ossecclient2] *****************************************************************

TASK [setup] *******************************************************************
ok: [ossecclient2]

TASK [Installs Developement Tools] *********************************************
ok: [ossecclient2]

TASK [Install Python] **********************************************************
ok: [ossecclient2]

TASK [include_vars] ************************************************************
ok: [ossecclient2]

TASK [Download OssecClient] ****************************************************
changed: [ossecclient2]

TASK [Extract Ossec server code] ***********************************************
changed: [ossecclient2]

TASK [Copy the Ossec_input file] ***********************************************
changed: [ossecclient2]

After ansible done, please run below command on ossecclient2 to verify it is connected to the server succesfully

OSSEC CLIENT (ossecclient2)

tail -f /var/ossec/logs/ossec.log

and you will see something like below:

2017/04/20 08:26:11 ossec-agentd(4102): INFO: Connected to the server (192.168.0.3:1514)

If you cant even saw the message above, it will be your firewall issue, you must allow udp 1514 in server and client as well.

If you cant get it working with above tutorial, here the source:

Download Now

untar with below command:

tar xvf ossec-client.tar.gz

Share this to your friends, if you found out that this article is useful

any problem with this article or anything that not state here, please let us know by commenting at the bottom of the article.

We will try our best to resolve your problem as soon as possible.

4 replies
  1. stupid jokes
    stupid jokes says:

    I’m amazed, I must say. Seldom do I come across a blog that’s equally educative and interesting, and let me
    tell you, you’ve hit the nail on the head. The issue is something which
    not enough people are speaking intelligently about. I’m
    very happy that I found this during my hunt for something concerning this.

    Reply
  2. ncert
    ncert says:

    When some one searches for his essential thing, therefore he/she desires to be available
    that in detail, thus that thing is maintained over here.

    Reply
  3. BlackMart
    BlackMart says:

    Valuable information. Fortunate me I found your web site unintentionally, and I’m stunned why this twist of fate did not happened in advance!
    I bookmarked it.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *