AlienVault Unified Security Management™ for Government v4.

12
&
RT Logic CyberC4:Alert v4.12

HIDS Deployment on Windows

Copyright© 2016 AlienVault. All rights reserved.

DOCUMENT HISTORY AND VERSION CONTROL

Edition Date of Issue Description of Change(s)

01 08/01/15 Initial Version

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product
names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective
companies.
 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

TABLE OF CONTENTS

1. Introduction ............................................................................................................. 4

2. PREREQUISITES ..................................................................................................... 4

3. PRECONFIGURED MANUAL INSTALLATION ....................................................... 4

4. VALIDATION ............................................................................................................ 5
4.1. Validation On the Client .............................................................................................. 6
4.2. On the Server .............................................................................................................7

5. LOG MANAGEMENT ............................................................................................... 8

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 3 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

1. INTRODUCTION
AlienVault USM for Government includes a built-in host-based intrusion detection (HIDS)
agent that includes the following core features:
1. Log Monitoring and Collection
2. File Integrity Checking
3. Windows Registry Integrity Checking
4. Active Response
The AlienVault HIDS agent operates via server/agent architecture, with some limited
support for agentless operation with certain operating systems.
Agents are deployed to client systems and run as a continuous in-memory service,
communicating with the central server via UDP port 1514. Therefore, be sure to open this
port on any internal firewalls to allow the traffic to go through.

2. PREREQUISITES
• A host to be monitored running:
o Windows Server 2003 and 2008
o Windows 7, XP, 2000 and Vista
• An account with administrative rights for installation

3. PRECONFIGURED MANUAL INSTALLATION

For Windows Client Hosts, AlienVault can generate a pre-configured binary – this binary will
install without the need for any additional configuration. The binary will already have the
appropriate server configuration and authentication key embedded in the installation binary.

1. Navigate to “Environment > Detection > HIDS” and choose Agents.

2. Click on ADD AGENT:
3. Enter the details of the agent to be added – either its fixed IP address, or the CIDR
subnet if it will have an address assigned by DHCP.

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 4 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

4. Once an entry for the new agent is added, from the icon string to the right of the row for

the new agent. Click on Download Preconfigured Agent for Windows icon ( ):

Figure 1. Detection option: “download preconfigured agent for Windows”

5. The system will assemble a preconfigured binary, this may take a short time to
complete.
6. The assembled installer will then be downloaded. The file name will resemble the
following:
ossec_installer_564dabd0-fa1c-fd4c-d391-8feedf3246ff_001.exe
7. If necessary, move this generated installer binary to the intended client host for
installation.
8. Open the executable, the installer will briefly run in a console window, then display the
Installer progress UI for a short time, and, finally, exiting after completing the installation.
9. Skip to the Validation section of this document after this has been completed.

4. VALIDATION
Validating a successful pairing between the new client agent and the AlienVault Server can
be performed from both sides of the connection.

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 5 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

4.1. VALIDATION ON THE CLIENT

The agent maintains a local log file regarding its operation; this can be accessed more
directly via the “Agent Manager > View menu > View Logs”.

Figure 2. OSSEC Agent Manager: “View” menu

The log file will open in your system’s default application for .txt files (typically notepad).
A successful connection to the server will create a log entry similar to this:

2013/05/28 10:53:42 ossec-agent(4102): INFO: Connected to the server

(192.168.1.240:1514).
2013/05/28 10:53:42 ossec-agent Sending keep alive message....

Should the client agent not be able to connect to the OSSEC Service on the AlienVault
server, you will instead see log entries like this:

2013/05/28 12:20:15 ossec-agent(4101): WARN: Waiting for server reply

(not started). Tried: '192.168.1.240'.
2013/05/28 12:25:05 ossec-agent: INFO: Trying to connect to server
(192.168.1.240:1514).
2013/05/28 12:25:05 ossec-agent: INFO: Using IPv4 for: 192.168.1.240

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 6 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

4.2. ON THE SERVER

From the AlienVault web UI, open the OSSEC configuration panel through “Environment >
Detection > HIDS”. Look for the Agent’s listing at the bottom of the main panel, for your
newly created agent to be marked as Active:

Figure 3. OSSEC configuration panel

The trend chart will not immediately populate, requiring logs to be received from the client
for a period of time beforehand.
Your Client Installation is now completed.

When re-launching the OSSEC “manage agent” tool under windows, it must
always be started using the “run as Administrator” option. If not done so it will
indicate, falsely, that the agent is not running, service status will be unavailable,
and agent status logs will not be permitted to be viewed.

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 7 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

5. LOG MANAGEMENT
Event logs provide all the information you need to troubleshoot operational errors, and
investigate potential security exposures.
Navigate to “Analysis > Security Events (SIEM)”. The window is similar to the following:

Figure 4. Security Events (SIEM)

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 8 of 9

 AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows

Navigate to “Analysis > Raw Logs” to view Logger logs:

Figure 5. Raw Logs

AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 9 of 9