sudo nano \/etc\/ssh\/sshd_config<\/code> and set PasswordAuthentication no<\/code>).<\/li>\n\n\n\n- Only run services that you need on the server. Disable anything that is not required.<\/li>\n\n\n\n
- Segregate services behind host based or network firewalls (preferably both), only allow stateful inbound SSH connections from trusted hosts, inbound connection to relay nodes on the defined port, and only allow inbound connection to BPN from specific relay nodes (outbound is needed from relays).<\/li>\n\n\n\n
- Set appropriate permissions for files (e.g.
\/opt\/cardano\/cnode<\/code> if you are using cnTools<\/a>, which will also set the correct permissions for you).<\/li>\n\n\n\n- Lastly, keep the base operating systems patched (e.g.
sudo apt update<\/code>\/upgrade<\/code>) and scan for vulnerabilities (e.g. Nessus).<\/li>\n<\/ul>\n\n\n\nBut even the best security defences can be breached. And this is where detection and response becomes important. While there are a lot of security products that you can buy in the market to help with detection, there are also some good open source options. One of those is OSSEC<\/a>.<\/p>\n\n\n\nOSSEC provides a Host Based Intrusion Detection (HIDS) solution for Linux, Mac and Windows which is agent based and reports back to a server. It’s a lightweight solution, with a range of detection rules, and is actively developed.<\/p>\n\n\n\n
One of the negatives is that it doesn’t have a nice GUI, but by adding Prometheus and Grafana we can fix that. We can also tune the detection rules to monitor specific Cardano node directories.<\/p>\n\n\n\n
Building cnhids (in homage to cntools)<\/h3>\n\n\n\n
Installing cnhids is now as simple as running the script after downloading from GitHub<\/a>:<\/p>\n\n\n\nhttps:\/\/github.com\/adavault\/cnhids<\/a><\/p>\n\n\n\nWe do not recommend using the manual process and it will no longer be maintained (as the install script self documents).<\/p>\n\n\n\n
Manual build process<\/h4>\n\n\n\n
There are quite a few steps to this so it’s worth sumarising what you are going to do:<\/p>\n\n\n\n
\n- Setup the OSSEC server on a separate 20.04 LTS instance.<\/li>\n\n\n\n
- Configure promtail, loki to scrape logs from OSSEC<\/li>\n\n\n\n
- Setup Prometheus and Grafana to collect the data and display on our cnHids dashboard<\/li>\n\n\n\n
- Setup a custom metrics service to scrape info on total agents and active agents<\/li>\n\n\n\n
- Configure the OSSEC agents and connect them to the OSSEC server.<\/li>\n<\/ul>\n\n\n\n
Software components:<\/p>\n\n\n\n
\n- Ubuntu Server 20.04LTS.<\/li>\n\n\n\n
- OSSEC<\/a><\/li>\n\n\n\n
- Loki and Promtail<\/a><\/li>\n\n\n\n
- Prometheus<\/a><\/li>\n\n\n\n
- Grafana<\/a><\/li>\n\n\n\n
- Custom scraper<\/a><\/li>\n<\/ul>\n\n\n\n
Improvement areas:<\/p>\n\n\n\n
\n- Packages are running from \/var and \/opt which is good, but this installation process could be more scripted, (we figured if there is enough interest we will check with GuildOps to see if they want to include as an install script there). However it’s perfectly usable and secure as is.<\/li>\n\n\n\n
- At the moment there is no alerting, but this could be added to prometheus.<\/li>\n<\/ul>\n\n\n\n
Allow a couple of hours to build and configure this for your environment.<\/p>\n\n\n\n
Pre-requisites<\/h4>\n\n\n\n
We recommend running this on a separate server instance (1CPU core, 2GB RAM, 50-100GB disk), ideally in a separate firewall zone (The OSSEC manager listens on UDP port 1514, so you will need to allow UDP 1514 inbound so the agents can connect to the server). This server will also run the Prometheus and Grafana instances and the log collectors\/scrapers. These should all be bound to localhost expect for Grafana (0.0.0.0) as you will want to be able to connect to that remotely on the port configured (3000 by default).<\/p>\n\n\n\n
Assuming a fresh install of 20.04 on a server with an FQDN cnhids-server<\/code> we create a user cnhids<\/code> and directory structure as follows:<\/p>\n\n\n\n#Create a user and add them to sudoers\nsudo adduser cnhids\nsudo usermod -aG sudo cnhids\n\n#Log off then log back on as cnhids (while you are at it why not copy over ssh keys)\nexit\nssh-copy-id cnhids@cnhids-server\nssh cnhids@cnhids-server\n\n#Create directory structure (aligned with cnTools)\nsudo mkdir -p \/opt\/cardano\/cnhids\n#Change owner and group to cnhids\nsudo chown cnhids \/opt\/cardano\/cnhids\nsudo chgrp cnhids \/opt\/cardano\/cnhids\n<\/code><\/pre>\n\n\n\nInstall OSSEC Server<\/h4>\n\n\n\n
Next we set up the basic OSSEC server install:<\/p>\n\n\n\n
cd ~\nsudo apt update\nsudo apt upgrade\nsudo apt install gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget tar unzip -y\nwget https:\/\/github.com\/ossec\/ossec-hids\/archive\/3.6.0.tar.gz\ntar xzf 3.6.0.tar.gz\ncd ossec-hids-3.6.0\/\nsudo .\/install.sh\n#Follow the prompts to install server version of OSSEC\n(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: \n...<\/code><\/pre>\n\n\n\nNow edit the default ossec.conf to add json output.:<\/p>\n\n\n\n
sudo nano \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\nIn this case we have removed the email notification but you could choose to keep that. The <global> section needs to look like this:<\/p>\n\n\n\n
<global>\n <email_notification>no<\/email_notification>\n <jsonout_output>yes<\/jsonout_output>\n <\/global><\/code><\/pre>\n\n\n\nSave and exit, then restart the OSSEC server:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/ossec-control restart<\/code><\/pre>\n\n\n\nSetup Promtail and Loki<\/h4>\n\n\n\n
Now you have the basic OSSEC server in place it’s time to collect data from the logs for Prometheus to store. Let’s install Promtail first:<\/p>\n\n\n\n
cd \/opt\/cardano\/cnhids\nmkdir promtail\ncd promtail\/\nwget https:\/\/github.com\/grafana\/loki\/releases\/download\/v2.1.0\/promtail-linux-amd64.zip\nunzip promtail-linux-amd64.zip\nchmod +x promtail-linux-amd64<\/code><\/pre>\n\n\n\nCreate the yaml:<\/p>\n\n\n\n
nano promtail.yaml<\/code><\/pre>\n\n\n\n…paste in this config (change your timezone location as needed) and save:<\/p>\n\n\n\n
server:\n http_listen_port: 8080\n grpc_listen_port: 0\n\npositions:\n filename: \/var\/ossec\/logs\/alerts\/promtail_positions.yaml\n\nclients:\n - url: http:\/\/localhost:3100\/api\/prom\/push\n\nscrape_configs:\n- job_name: ossec_alerts\n pipeline_stages:\n - json:\n expressions:\n # Extract the timestamp, level, group, and host from the JSON into the extracted map\n timestamp: TimeStamp\n level: rule.level\n group: rule.group\n host: hostname\n application: program_name\n srcuser: srcuser\n dstuser: dstuser\n - regex:\n # The host is wrapped in parens, extract just the string and essentially strip the parens\n source: host\n expression: '^\\((?P<host>\\S+)\\)'\n - template:\n # Pad the level with leading zeros so that grafana will sort the levels in increasing order\n source: level\n template: '{{ printf \"%02s\" .Value }}'\n - labels:\n # Set labels for level, group, and host\n level: ''\n group: ''\n host: ''\n application: ''\n srcuser: ''\n dstuser: ''\n - timestamp:\n # Set the timestamp\n source: timestamp\n format: UnixMs\n - metrics:\n # Export a metric of alerts, it will use the labels set above\n ossec_alerts_total:\n type: Counter\n description: count of alerts\n source: level\n config:\n action: inc\n static_configs:\n - targets:\n - localhost\n labels:\n job: ossec\n type: alert\n __path__: \/var\/ossec\/logs\/alerts\/alerts.json\n- job_name: ossec_firewall\n pipeline_stages:\n - regex:\n # The firewall log is not JSON, this regex will match all the parts and extract the groups into extracted data\n expression: '(?P<timestamp>\\d{4} \\w{3} \\d{2} \\d{2}:\\d{2}:\\d{2}) (?P<host>\\S+) {0,1}\\S{0,} (?P<action>\\w+) (?P<protocol>\\w+) (?P<src>[\\d.:]+)->(?P<dest>[\\d.:]+)'\n - regex:\n # This will match host entries that are wrapped in parens and strip the parens\n source: host\n expression: '^\\((?P<host>\\S+)\\)'\n - regex:\n # Some hosts are in the format `ossec -> ...` this will match those and only return the host name\n source: host\n expression: '^(?P<host>\\S+)->'\n - template:\n # Force the action (DROP or ALLOW) to lowercase\n source: action\n template: '{{ .Value | ToLower }}'\n - template:\n # Force the protocol to lowercase\n source: protocol\n template: '{{ .Value | ToLower }}'\n - labels:\n # Set labels for action, protocol, and host\n action: ''\n protocol: ''\n host: ''\n - timestamp:\n # Set the timestamp, we have to force the timezone because it doesn't exist in the log timestamp, update this for your servers timezone\n source: timestamp\n format: '2006 Jan 02 15:04:05'\n location: 'Europe\/London'\n - metrics:\n # Export a metric of firewall events, it will use the labels set above\n ossec_firewall_total:\n type: Counter\n description: count of firewall events\n source: action\n config:\n action: inc\n static_configs:\n - targets:\n - localhost\n labels:\n job: ossec\n type: firewall\n __path__: \/var\/ossec\/logs\/firewall\/firewall.log<\/code><\/pre>\n\n\n\nNext register as a service (create the systemd service definition):<\/p>\n\n\n\n
nano promtail.service<\/code><\/pre>\n\n\n\n…then paste the following into the file and save it:<\/p>\n\n\n\n
[Unit]\nDescription=Promtail Loki Agent\nAfter=loki.service\n\n[Service]\nType=simple\nUser=root\nExecStart=\/opt\/cardano\/cnhids\/promtail\/promtail-linux-amd64 -config.file promtail.yaml\nWorkingDirectory=\/opt\/cardano\/cnhids\/promtail\/\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nNow copy it across to systemd:<\/p>\n\n\n\n
sudo cp promtail.service \/etc\/systemd\/system\/promtail.service<\/code><\/pre>\n\n\n\nThe Loki setup follows a similar process:<\/p>\n\n\n\n
cd \/opt\/cardano\/cnhids\nmkdir loki\ncd loki\nmkdir chunks\nmkdir index\nwget https:\/\/github.com\/grafana\/loki\/releases\/download\/v2.1.0\/loki-linux-amd64.zip\nunzip loki-linux-amd64.zip\nchmod +x loki-linux-amd64<\/code><\/pre>\n\n\n\nCreate the yaml:<\/p>\n\n\n\n
nano loki-config.yaml<\/code><\/pre>\n\n\n\n…and paste this config into it, then save. You can increase the retention period but will need choose certain multiples of the schema period, these are set to give you about a months retention.<\/p>\n\n\n\n
auth_enabled: false\n\nserver:\n http_listen_port: 3100\n\ningester:\n lifecycler:\n address: 127.0.0.1\n ring:\n kvstore:\n store: inmemory\n replication_factor: 1\n final_sleep: 0s\n chunk_idle_period: 1m\n chunk_retain_period: 30s\n\nschema_config:\n configs:\n - from: 2018-04-15\n store: boltdb\n object_store: filesystem\n schema: v9\n index:\n prefix: index_\n period: 192h\n\nstorage_config:\n boltdb:\n directory: \/opt\/cardano\/cnhids\/loki\/index\n\n filesystem:\n directory: \/opt\/cardano\/cnhids\/loki\/chunks\n\nlimits_config:\n enforce_metric_name: false\n reject_old_samples: true\n reject_old_samples_max_age: 192h\n\nchunk_store_config:\n max_look_back_period: 0\n\ntable_manager:\n chunk_tables_provisioning:\n inactive_read_throughput: 0\n inactive_write_throughput: 0\n provisioned_read_throughput: 0\n provisioned_write_throughput: 0\n index_tables_provisioning:\n inactive_read_throughput: 0\n inactive_write_throughput: 0\n provisioned_read_throughput: 0\n provisioned_write_throughput: 0\n retention_deletes_enabled: true\n retention_period: 768h<\/code><\/pre>\n\n\n\nNext we register as a service, create the service definition:<\/p>\n\n\n\n
nano loki.service<\/code><\/pre>\n\n\n\n…then paste the following into the file and save it:<\/p>\n\n\n\n
[Unit]\nDescription=Loki Log Aggregator\nAfter=network.target\n\n[Service]\nType=simple\nUser=cnhids\nExecStart=\/opt\/cardano\/cnhids\/loki\/loki-linux-amd64 -config.file loki-config.yaml\nWorkingDirectory=\/opt\/cardano\/cnhids\/loki\/\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nLastly copy the service across to systemd:<\/p>\n\n\n\n
sudo cp loki.service \/etc\/systemd\/system\/loki.service<\/code><\/pre>\n\n\n\nInstall Prometheus<\/h4>\n\n\n\n
The prometheus install is pretty standard, we can use the latest version from the repo:<\/p>\n\n\n\n
cd \/opt\/cardano\/cnhids\nwget https:\/\/github.com\/prometheus\/prometheus\/releases\/download\/v2.24.1\/prometheus-2.24.1.linux-amd64.tar.gz\ntar -zxvf prometheus-2.24.1.linux-amd64.tar.gz<\/code><\/pre>\n\n\n\nEdit the .yaml, we just need to add some scrape configs at the end, otherwise it’s as default<\/p>\n\n\n\n
cd prometheus-2.24.1.linux-amd64\/\nnano prometheus.yml<\/code><\/pre>\n\n\n\nAnd edit so it looks like this (the only bit to change is adding the scrapes at the end):<\/p>\n\n\n\n
# my global config\nglobal:\n scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.\n evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.\n # scrape_timeout is set to the global default (10s).\n\n# Alertmanager configuration\nalerting:\n alertmanagers:\n - static_configs:\n - targets:\n # - alertmanager:9093\n\n# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.\nrule_files:\n # - \"first_rules.yml\"\n # - \"second_rules.yml\"\n\n# A scrape configuration containing exactly one endpoint to scrape:\n# Here it's Prometheus itself.\nscrape_configs:\n # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.\n - job_name: 'prometheus'\n\n # metrics_path defaults to '\/metrics'\n # scheme defaults to 'http'.\n\n static_configs:\n - targets: ['localhost:9090']\n - job_name: 'ossec'\n static_configs:\n - targets: ['localhost:8080']\n - job_name: 'ossec-metrics'\n static_configs:\n - targets: ['localhost:7070']\n - job_name: 'loki'\n static_configs:\n - targets: ['localhost:3100']<\/code><\/pre>\n\n\n\nCreate the service definition:<\/p>\n\n\n\n
nano prometheus.service<\/code><\/pre>\n\n\n\n…and paste in this content then save:<\/p>\n\n\n\n
[Unit]\nDescription=Prometheus Metrics\nAfter=network.target\n\n[Service]\nType=simple\nUser=cnhids\nExecStart=\/opt\/cardano\/cnhids\/prometheus-2.24.1.linux-amd64\/prometheus --storage.tsdb.retention.time=30d\nWorkingDirectory=\/opt\/cardano\/cnhids\/prometheus-2.24.1.linux-amd64\/\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nLastly copy across to systemd:<\/p>\n\n\n\n
sudo cp prometheus.service \/etc\/systemd\/system\/prometheus.service<\/code><\/pre>\n\n\n\nSetup Grafana<\/h4>\n\n\n\n
It’s a vanilla install for Grafana:<\/p>\n\n\n\n
cd \/opt\/cardano\/cnhids\nwget https:\/\/dl.grafana.com\/oss\/release\/grafana-7.3.7.linux-amd64.tar.gz\ntar -zxvf grafana-7.3.7.linux-amd64.tar.gz<\/code><\/pre>\n\n\n\nCreate the service definition:<\/p>\n\n\n\n
cd grafana-7.3.7\nnano grafana.service<\/code><\/pre>\n\n\n\n…and paste this in then save:<\/p>\n\n\n\n
[Unit]\nDescription=Grafana UI\nAfter=network.target\n\n[Service]\nType=simple\nUser=cnhids\nExecStart=\/opt\/cardano\/cnhids\/grafana-7.3.7\/bin\/grafana-server\nWorkingDirectory=\/opt\/cardano\/cnhids\/grafana-7.3.7\/\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n..and copy across to systemd:<\/p>\n\n\n\n
sudo cp grafana.service \/etc\/systemd\/system\/grafana.service<\/code><\/pre>\n\n\n\nSetup up the custom OSSEC-metrics scrapper<\/h4>\n\n\n\n
There’s no easy way to scrape the agents information by tailing the OSSEC logs but fortunately Ed Welch has built a simple app called ossec-metrics<\/a> to execute some OSSEC commands and parse the output. <\/p>\n\n\n\nThe setup is a little more involved as we need to compile it using go-lang.<\/p>\n\n\n\n
cd \/opt\/cardano\/cnhids\nsudo apt install golang-go\nmkdir ossec-metrics\ncd ossec-metrics\/\nwget https:\/\/github.com\/slim-bean\/ossec-metrics\/archive\/v0.1.0.tar.gz\ntar -zxvf v0.1.0.tar.gz\ncd ossec-metrics-0.1.0\/\ngo build -o ossec-metrics cmd\/ossec-metrics\/main.go\nmv ossec-metrics ..\/\ncd ..\nchmod +x ossec-metrics<\/code><\/pre>\n\n\n\nNow create the service definition as usual<\/p>\n\n\n\n
nano ossec-metrics.service<\/code><\/pre>\n\n\n\n…and paste in and save:<\/p>\n\n\n\n
[Unit]\nDescription=Ossec Metrics exposes OSSEC info for prometheus to scrape\nAfter=network.target\n\n[Service]\nType=simple\nUser=root\nExecStart=\/opt\/cardano\/cnhids\/ossec-metrics\/ossec-metrics\nWorkingDirectory=\/opt\/cardano\/cnhids\/ossec-metrics\/\nRestart=always\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nCopy across to systemd:<\/p>\n\n\n\n
sudo cp ossec-metrics.service \/etc\/systemd\/system\/ossec-metrics.service<\/code><\/pre>\n\n\n\nFinal configurations<\/h4>\n\n\n\n
Let’s test the services one by, for each service you should get a clean start and no errors. If you do go back and check that service:<\/p>\n\n\n\n
sudo systemctl daemon-reload\nsudo systemctl start prometheus.service\nsudo systemctl status prometheus.service\nsudo systemctl start loki\nsudo systemctl status loki\nsudo systemctl start promtail\nsudo systemctl status promtail.service\nsudo systemctl start ossec-metrics.service\nsudo systemctl status ossec-metrics.service\nsudo systemctl start grafana.service\nsudo systemctl status grafana.service<\/code><\/pre>\n\n\n\nAssuming they all started successfully then set them to start at boot:<\/p>\n\n\n\n
sudo systemctl enable prometheus.service\nsudo systemctl enable loki.service\nsudo systemctl enable promtail.service\nsudo systemctl enable ossec-metrics.service\nsudo systemctl enable grafana.service<\/code><\/pre>\n\n\n\nAlmost done, time to get a cup of tea and take a break….<\/p>\n\n\n\n
Dashboards<\/h4>\n\n\n\n
The last step of this section is to log-on to Grafana and add the dashboard. Open your browser and navigate to:<\/p>\n\n\n\n
https://cnhids-server:3000<\/code><\/pre>\n\n\n\nThe default user is admin and empty password, Grafana will ask you to set a password. Once you have logged into Grafana add two new datasources. First a Prometheus datasource:<\/p>\n\n\n\n![\"\"](\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\")
<\/figure>\n\n\n\nThen a Loki datasource:<\/p>\n\n\n\n<\/figure>\n\n\n\nNow you can import the dashboard by hovering over the + symbol on the left panel and selecting import then pasting in this json<\/a> <\/a>file<\/a>.<\/p>\n\n\n\n<\/figure>\n<\/div>\n\n\nAnd you should have a dashboard with some content populating from the OSSEC server. At the moment you only have one agent reporting which is on the OSSEC server itself. So the last steps are to add agents on the servers you want to monitor and then connect them to the OSSEC server.<\/p>\n\n\n\n
Add some agents<\/h3>\n\n\n\n
SSH to the server you want to add the agent to then:<\/p>\n\n\n\n
cd ~\nsudo apt install gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget tar -y\nwget https:\/\/github.com\/ossec\/ossec-hids\/archive\/3.6.0.tar.gz\ntar xzf 3.6.0.tar.gz\ncd ossec-hids-3.6.0\/\nsudo .\/install.sh<\/code><\/pre>\n\n\n\nFollow the prompts:<\/p>\n\n\n\n
(en\/br\/cn\/de\/el\/es\/fr\/hu\/it\/jp\/nl\/pl\/ru\/sr\/tr) [en]: en\n1- What kind of installation do you want (server, agent, local, hybrid or help)? agent\n2- Choose where to install the OSSEC HIDS [\/var\/ossec]: \/var\/ossec\n3.1- What's the IP Address or hostname of the OSSEC HIDS server?: cnhids-server\n3.2- Do you want to run the integrity check daemon? (y\/n) [y]: y\n3.3- Do you want to run the rootkit detection engine? (y\/n) [y]: y\n3.4 - Do you want to enable active response? (y\/n) [y]: n<\/code><\/pre>\n\n\n\nAt this time we don’t suggest enabling active response as you don’t want to inadvertently stop your node from producing a block at a critical time if the network host gets blocked. If use becomes more widespread and we get confident this is safe then this may change.<\/p>\n\n\n\n
Make a note of the client ip (ip a<\/code>) then SSH to the OSSEC server and register the agent:<\/p>\n\n\n\nsudo \/var\/ossec\/bin\/manage_agents\n\n****************************************\n* OSSEC HIDS v3.6.0 Agent manager. *\n* The following options are available: *\n****************************************\n (A)dd an agent (A).\n (E)xtract key for an agent (E).\n (L)ist already added agents (L).\n (R)emove an agent (R).\n (Q)uit.\nChoose your action: A,E,L,R or Q: a\n\n- Adding a new agent (use '\\q' to return to the main menu).\n Please provide the following:\n * A name for the new agent: agent-name\n * The IP Address of the new agent: 192.168.1.2\n * An ID for the new agent[001]:\nAgent information:\n ID:001\n Name:agent-name\n IP Address:192.168.1.2\n\nConfirm adding it?(y\/n): y\nAgent added with ID 001.\n<\/code><\/pre>\n\n\n\nExtract the key with ‘e’, and copy this, run the same process on the agent:<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/manage_agents\n#And follow the prompts to paste the key in and register the agent<\/code><\/pre>\n\n\n\nIf you are monitoring a cardano node then open the ossec.conf files and add cnode dirs (the paths are set assuming you are using using cnTools):<\/p>\n\n\n\n
sudo nano \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\nAdd the following lines to the file below the existing directory lines…<\/p>\n\n\n\n
<directories check_all=\"yes\">\/opt\/cardano\/cnode\/priv,\/opt\/cardano\/cnode\/files,\/opt\/cardano\/cnode\/scripts<\/directories>\n<directories check_all=\"yes\">\/home\/cardano\/.cabal\/bin<\/directories><\/code><\/pre>\n\n\n\nLastly restart the agent (if it’s the first agent you’ve added you will need to restart the OSSEC server as well with this command):<\/p>\n\n\n\n
sudo \/var\/ossec\/bin\/ossec-control restart<\/code><\/pre>\n\n\n\nYou should see the agent appear on the dashboard within a couple of minutes, it will spend a little while setting scanning the server before it reports in to the OSSEC server. If its not there after 10 minutes check firewall ports aren’t blocking traffic.<\/p>\n\n\n\n
Repeat for each server you want to monitor.<\/p>\n\n\n\n
Thanks go to….<\/h4>\n\n\n\n
This guide was inspired by:<\/p>\n\n\n\n
![\"\"](\"https:\/\/adavault.com\/wp-content\/uploads\/2021\/01\/Screenshot-2021-01-28-at-21.10.57-605x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adavault.com\/wp-content\/uploads\/2021\/01\/Screenshot-2021-01-28-at-21.10.34-1-665x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adavault.com\/wp-content\/uploads\/2021\/01\/Screenshot-2021-01-28-at-21.43.48-e1611870318842.png\")
<\/figure>\n<\/div>\n\n\n