5/5/2016

DeployingtheAlienVaultHIDSAgentsinAlienVaultUSMv5

SEARCH FOR AN ANSWER

DOCUMENTATION > USM v5 > Deployment Guide > IDS Configuration

DOCUMENTATION
> Deploying the AlienVault HIDS Agents

USM v5
OTX
USM for AWS
USM for Government
USM Additional Documentation

BLOGS
FORUMS
SUPPORT

Deploying the AlienVault HIDS Agents

https://www.alienvault.com/documentation/usmv5/idsconfiguration/deployingalienvaulthids.htm

1/5

5/5/2016

DeployingtheAlienVaultHIDSAgentsinAlienVaultUSMv5

You can deploy an AlienVault HIDS agent to a host in several ways:

Using the Getting Started Wizard. This options supports deployment to Microsoft Windows hosts and
agentless deployment to Linux hosts. For instructions, see Deploying HIDS to Servers, in the Getting
Started Wizard topic.
From the Asset List View. This option supports deployment to Microsoft Windows servers only. For
instructions, see Deploying HIDS Agents, in the Asset Management topic.
From the HIDS management view. This option supports deployment to Microsoft Windows and Linux hosts.
See instruction below.

Deploying the AlienVault HIDS Agents to Windows Hosts

For Microsoft Windows hosts, USM generates a binary file containing the appropriate server configuration and
authentication key. You can choose to let USM install the file for you, or download the file and install it on the
host yourself. All Windows hosts must meet the prerequisites described in the Asset Management topic,
Deploying HIDS Agents.
To deploy the AlienVault HIDS agent to a Windows host
1. Navigate to Environment > Detection.
2. Navigate to HIDS > Agents > Agent Control > Add Agent.

3. On New HIDS Agent, select the host from the asset tree.
USM populates Agent Name with the host name, and IP/CIDR with the host IPaddress automatically.
4. Click Save.
USM adds the new agent to the list.
5. To deploy the agent, click the

button in the Actions column.

6. In Automatic Deployment for Windows, type the Domain (optional), User, and Password of the host; then
click Save.
USM assembles a preconfigured binary file and deploys it to the host.
7. Alternatively, to download the preconfigured binary file, click the

button in the Actions column.

Your browser downloads the file automatically or prompts you for the download.
8. Transfer the file, named ossec_installer_<agent_id>.exe, to the Microsoft Windows host.
9. On the Windows host, double-click to run the executable.
The installer runs in a console briefly, then displays a progress bar until completion.
https://www.alienvault.com/documentation/usmv5/idsconfiguration/deployingalienvaulthids.htm

2/5

5/5/2016

DeployingtheAlienVaultHIDSAgentsinAlienVaultUSMv5

Deploying the AlienVault HIDS Agents to Linux Hosts

Important: For Linux hosts, depending on which distribution of Linux you use, AlienVault recommends
that you download the corresponding ossechidsagent installer file from the OSSEC's Downloads
page directly, and then follow their instructions to complete the installation.
After you have successfully installed the HIDS agent on the LInux host, perform the steps below to connect it
to the USM.
To add the HIDS agent to USM
1. Navigate to Environment > Detection.
2. Navigate to HIDS > Agents > Agent Control > Add Agent.
3. On New HIDS Agent, select the host from the asset tree.
USM populates Agent Name with the host name, and IP/CIDR with the host IPaddress automatically.
4. Click Save.
USM adds the new agent to the list.
5. To extract the key for the agent, click the
displays. Show me.

button in the Actions column, and then copy the key that

6. Login to the Linux host, run /var/ossec/bin/mange_client, and then enterI to import the key you
copied in the previous step.
7. Edit /var/ossec/etc/ossecagent.conf to change the server IP address to the USM.
8. Start the HIDS agent if it is not already running:
serviceossechidsstart
chkconfigossechidson

9. On the USM, navigate to Environment > Detection, click HIDS Control, and then Restart.

Deployment Verification
You can verify the deployment both on the HIDS agent and the USM.
On the HIDS agents, you can check the ossec.log file to make sure that a message similar to the following
exists:
2015/09/1809:07:38ossecagent:INFO:Started(pid:3440).
2015/09/1809:07:38ossecagent(4102):INFO:Connectedtotheserver
(10.47.30.100:1514).

To check the agent log file on the Windows hosts

1. Go to Start > OSSEC > Manage Agent.
2. In OSSEC Agent Manager, click View and select View Logs.
This opens the ossec.log file on the agent.
To check the agent log file on the Linus hosts
1. Login to the Linux host.
2. In a console, enter the following:
https://www.alienvault.com/documentation/usmv5/idsconfiguration/deployingalienvaulthids.htm

3/5

5/5/2016

DeployingtheAlienVaultHIDSAgentsinAlienVaultUSMv5

more/var/ossec/logs/ossec.log

On the USM, make sure there exist AlienVault HIDS events.

To verify the HIDS deployment on the USM
1. Navigate to Environment > Detection.
The Overview page for HIDS displays.
2. Ensure that the Status column for the deployed agents display Active, and the Trend chart is not empty.

3. To see the AlienVault HIDS events from a specific agent, navigate to Analysis > Security Events (SIEM).
4. In Data Sources, select AlienVault HIDS; change Signature to Src IP, enter the IP addresses of the HIDS
Agent, and then click Go.
The AlienVault HIDS events from the particular agent display.

AlienVault HIDS
About AlienVault HIDS
Deploying the AlienVault HIDS Agents
File Integrity Monitoring
Agentless Monitoring

https://www.alienvault.com/documentation/usmv5/idsconfiguration/deployingalienvaulthids.htm

4/5

5/5/2016

DeployingtheAlienVaultHIDSAgentsinAlienVaultUSMv5

Additional Resources
Resource Center
Forums

Support & Training

Support & Services
Customer Portal
Documentation Center
Training
Certification

888.613.6023
hello@alienvault.com

Copyright 2016, AlienVault, Inc. All rights reserved. Legal | Privacy

https://www.alienvault.com/documentation/usmv5/idsconfiguration/deployingalienvaulthids.htm

5/5