Documentation forThreat Monitor

Install an OSSEC agent on a collector

OSSEC is an open source intrusion detection system. The OSSEC agent facilitates the collection and processing of Windows system, application, and security event logs in addition to common Linux/Unix event logs. Learn more about OSSEC here.

Before installing the OSSEC agent, add static assets for each device that will have the agent installed. This will prevent failed events when you install the OSSEC agent.

  1. On the Threat Monitor toolbar, click the Assets tab.

  2. In the Static Assets (Hosts) list, click New.

  3. Enter the host name (not the fully-qualified name) and IP address, and then click Save.

Install the OSSEC agent

Install the OSSEC agent on each device that will be monitoring Windows and Linux/unix event logs. The agent automatically connects to the collector.

  1. In Threat Monitor, navigate to Admin > Manage Collectors.
  2. In the sensors list, select a collector, and then click Edit.

  3. Click the OSSEC tab.

Install the agent automatically

  1. Click the Windows Auto Installer tab, and then click Create New Windows Installer.

  2. When the Creating New Installer window closes, click Download, and then run the installer on the target device.

Install the agent manually

  1. On the Agents tab, Click Add.

    This process also creates agent specific installers and therefore it's only valid for the machine that it is configured for.

  2. Enter the host name and IP address of the target device, select an operating system, and then click Submit.
  3. In the server list, select your new agent, click Download, and then run the installer on the target device.

Add a log source using OSSEC

  1. Click the Remote Logs tab, and then click Add.

  1. In the Config Setup window, select the appropriate log format, and then enter the log location.
  2. Ossec requires a specific log location, such as C:\logs\thisIsmyLogfile.log. Also, OSSEC does not work with wildcards. For example, C:\logs\*.log.

  3. From the Type drop-down list, select Host, and then select the appropriate device.
  4. Click Create, and then click Restart Required to push the changes to all OSSEC agents and the OSSEC server.