Documentation Center
DOCUMENTATION > AlienVault® USM Appliance™ > Deployment Guide > IDS Configuration > Deploy AlienVault HIDS Agents
AlienVault® USM Appliance™

Deploy AlienVault HIDS Agents

You can deploy an AlienVault HIDS agent to a host in several ways:

Deploy AlienVault HIDS Agents to Windows Hosts

For Microsoft Windows hosts, USM Appliance generates a binary file containing the appropriate server configuration and authentication key. You can choose to let USM Appliance install the file for you, or download the file and install it on the host yourself.

Important: All Windows hosts must meet the prerequisites described in the Asset Management topic, Deploying HIDS Agents.

To deploy the AlienVault HIDS agent to a Windows host

  1. Navigate to Environment > Detection.
  2. Navigate to HIDS > Agents > Agent Control > Add Agent.

  3. On New HIDS Agent, select the host from the asset tree.

    USM Appliance populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    USM Appliance adds the new agent to the list.

  5. To deploy the agent, click the button in the Actions column.
  6. In Automatic Deployment for Windows, type the Domain (optional), User, and Password of the host; then click Save.

    USM Appliance assembles a preconfigured binary file and deploys it to the host.

  7. Alternatively, to download the preconfigured binary file, click the button in the Actions column.

    Your browser downloads the file automatically or prompts you for the download.

  8. Transfer the file, named ossec_installer_<agent_id>.exe, to the Microsoft Windows host.

  9. On the Windows host, double-click to run the executable.

    The installer runs in a console briefly, then displays a progress bar until completion.

Deploy the AlienVault HIDS Agents to Linux Hosts

Important: For Linux hosts, depending on which distribution of Linux you use, AlienVault recommends that you download the corresponding ossec-hids-agent installer file from the OSSEC's Downloads page directly, and then follow their instructions to complete the installation.

After you have successfully installed the HIDS agent on the LInux host, perform the steps below to connect it to the USM Appliance.

To add the HIDS agent to USM Appliance

  1. Navigate to Environment > Detection.
  2. Navigate to HIDS > Agents > Agent Control > Add Agent.
  3. On New HIDS Agent, select the host from the asset tree.

    USM Appliance populates Agent Name with the host name, and IP/CIDR with the host IP address automatically.

  4. Click Save.

    USM Appliance adds the new agent to the list.

  5. To extract the key for the agent, click the button in the Actions column, and then copy the key that displays. ClosedShow me.

  6. Login to the Linux host, run /var/ossec/bin/manage_agents, and then enter I to import the key you copied in the previous step.

    Note: On some installations, Centos, for example, the command may be manage_client instead of manage_agents.

  7. Edit /var/ossec/etc/ossec-agent.conf to change the server IP address to the USM Appliance.
  8. Start the HIDS agent if it is not already running:

    service ossec start

    chkconfig ossec-hids on

  9. On the USM Appliance, navigate to Environment > Detection, click HIDS Control, and then Restart.

Deployment Verification

You can verify the deployment both on the HIDS agent and the USM Appliance.

On the HIDS agents, you can check the ossec.log file to make sure that a message similar to the following exists:

2015/09/18 09:07:38 ossec-agent: INFO: Started (pid: 3440).

2015/09/18 09:07:38 ossec-agent(4102): INFO: Connected to the server (10.47.30.100:1514).

To check the agent log file on the Windows hosts

  1. Go to Start > OSSEC > Manage Agent.
  2. In OSSEC Agent Manager, click View and select View Logs.

    This opens the ossec.log file on the agent.

To check the agent log file on the Linux hosts

  1. Login to the Linux host.
  2. In a console, enter the following:

    more /var/ossec/logs/ossec.log

On the USM Appliance, make sure there exist AlienVault HIDS events.

To verify the HIDS deployment on the USM Appliance

  1. Navigate to Environment > Detection.

    The Overview page for HIDS displays.

  2. Ensure that the Status column for the deployed agents display Active, and the Trend chart is not empty.

  3. To see the AlienVault HIDS events from a specific agent, navigate to Analysis > Security Events (SIEM).
  4. In Data Sources, select AlienVault HIDS; change Event Name to Src IP, enter the IP addresses of the HIDS Agent, and then click Go.

    The AlienVault HIDS events from the particular agent display.

Status Messages

USM Appliance HIDS agent deployment status messages

Message

Explanation

Your request has been processed

Success

Sorry, operation was not completed due to an error when processing the request

No data returned from DB

The following errors occurred

A list of pertinent errors

Your changes have been saved

Successful save

illegal: User

User validation error

illegal: Password

Password validation error

illegal: Domain

Domain validation error