DK 'Log : /ossim/tutorials/tut1

Tutorial 1: Host Inventory using OSSIM
Sun, 25 Nov 2007

This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-).

So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration.

The test environment consists of 6 devices:

Apple 10.5 Leopard
Debian 4.0 Linux inside Parallels
IPhone MacosX
OpenBSD 4.x
Windows XP inside Parallels
Yellow Dog Linux running on a PS3

::start here

Step 1: Check out how our freshly installed image is performing

After logging into the interface we first check the specific Inventory tab at the executive panel, seeing how it is currently empty:

Next, we go to Reports -> OCS Inventory and also see how it is (still) empty:

Step 2: Start installing the agents. Windows.

During step two we'll install the ocs Agent on windows. The ossim installer already rewrites the ocs package with the server IP you've configured during installation, so actually deploying agents is very simple.
First we'll go to Tools -> Downloads in order to get the pre-configured installer package. As you may notice on this screenshot, I've created a very restricted user with no permissions, he just can see and fetch things from the download page.

After downloading we open up the compressed file and execute the "install.bat" script. This should go on pretty fast and will install and enable OCS on the system.

By default, ocs schedules itself to run on a daily basis (not 100% sure aabout this) so at first you won't get any inventory. Anyway, since I'm more of the impatient kind I want to force it.
In order to force an inventory we must execute "inventorize_now.bat" after installation. It can be done from the zip already, as shown below:

And voila, there we've got our first inventoried host and it's detail:

Step 3: Continue installing the agents. Debian Linux.

Our next step will will involve installing the OCS agent on the ossim server itself. Since we're on the filesystem we can just copy the included agent package to some tmp directory, uncompress it, install everything and there we go. Here is the complete log of what I've done.
And, the resulting host will appear on our list, and it's detail:

Step 4: Continue installing the agents. Macox (including IPhone).

Since only Windows and Linux agents are included with the installer, you have to find ocs inventory agents for other systems from the contrib page. It is linked from Downloads->Tools for easy reference. Here you can see how it looks like, we'll be using the MacosX agent for this step and the unix agent for the next one (ain't it pretty?):

Now to the bad news. I tried to get it running but the current version doesn't work on Leopard, nor does it work on the iPhone either (not even exporting the xml inventory to another host, though iPhone does run php). So, here you can see my efforts but after skimming over the forums I don't thing I'll waste much time on this right now. Pretty sure the author will come up with a leopard compatible version at some time. Check the post at the bottome of this link for more information, you might be luckier than I've been.

Step 5: More agent installation. Openbsd.

This one has been pretty straightforward. Downloaded the unix version, had curl and libxml2, pointed at the right zlib path and there we go. Here is the log
And the PoC:

Step 6: Inventory of a PS3. YDL.

Since the ocs agent installer provides all the needed deps, this was straightforward too and very similar to the other linux one, so no log included. The PS3 is actually quite an impressive linux platform btw :-)

Final Step 7: Conclusion

So there we go, if everything had gone well now I'd have had every host surrounding me inventoried. Sadly there was that minor macosx glitch, but I had it running on Tiger and I assure you it works.
Our final setup looks like this:

And... do you remember the empty inventory graph section at the beginning ? well, as expected, now it's got some data in it:

I hope you enjoyed this first tutorial, if you like it please leave a quick comment below, since I'm just testing if all this blogging thing makes sense to me any feedback will be welcome.

posted at: 11:26 | path: /ossim/tutorials | permanent link to this entry | 12 comments |
Tags: ocs, ossim, installer, tutorial

* Posted by Alan at Wed Dec 5 21:29:37 2007

Nice smiple and straight forward, I really liked the tutorial. I like OSSIM as well but, I need help to use it and if you keep this up I will have all the help I need. Thank you.

* Posted by Leonardo Abbondanza at Mon Dec 17 20:37:27 2007

Nice. Would really appreciate if you make a tutorial regarding Windows log collecting and correlation also.

* Posted by Dominique Karg at Wed Dec 19 15:50:03 2007

Thanks for the feedback. Here you go ;-)

http://www.ossim.com/blog/dk/ossim/tutorials/tut5_windows_eventlog.html

* Posted by Olaf at Tue Jan 8 10:01:50 2008

Thank you for very easy OCS installation tutorial covering most current OS.

* Posted by Chris at Tue Jan 22 08:20:50 2008

Great Tutorial (s) thanks for the effort in putting these together.

I'm currently using OCS & GLPI & want to centralize everything using the new OSSIM installer.

How can I access the ocs database inside ossim - i've tried the passwords from tutorial still getting:

mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

Thanks in advance for your help!

* Posted by Mikrodots at Thu Mar 13 21:46:29 2008

DK,

I found you need to add the debug switch to the inventorize_now.bat script to keep OCSInventory.exe from causing an "APPCRASH" on Vista.

Example:
"%ProgramFiles%\OCS Inventory Agent\OCSInventory.exe" /FORCE� /DEBUG� /SERVER:1.2.3.4

See this post: http://forums.ocsinventory-ng.org/viewtopic.php?id=555

Thanks for the tutorials.� They are a huge help to an ossim newbie.� How about a Nagios tutorial?

Thanks again,
Mikrodots

* Posted by mad at Sat Mar 22 00:12:45 2008

MySQL password for OSSIM installer (if not manually specified during installation stage) -

you can find it inside of file /etc/acidbase/base_conf.php
search for: /* Archive DB connection parameters */

* Posted by Mike at Thu Apr 10 20:43:50 2008

What a great site, THANK YOU so much for this tut. We run multiple Snort boxes with Nagios and Base currently. We are very excited about OSSIM and trying to replace our current stuff.

* Posted by Joe at Wed Jun 25 18:15:24 2008

I'm completely overwhelmed with trying to understand all the pieces that come with an OSSIM install, and how they tie together.

Thanks for this tutorial, it's parted the clouds, at least a tiny bit, for me. I'm rushing off to read your others now.

It would be great to have these (and more) tutorials made a part of the standard OSSIM docs, but in any case I greatly appreciate your hard work, and am happy they exist at all!

* Posted by dp at Tue Jun 23 13:17:22 2009

Thanks Mikrodots for the Vista tip!

* Posted by dp at Tue Jun 23 13:18:17 2009

Oh yeah - Thanks a ton for this tutorial!

* Posted by dp at Tue Jun 23 13:58:59 2009

Oh yeah - Thanks a ton for this tutorial!