Pushing OSSEC agent to 200 Windows servers

Question

I'm given the task of setting up OSSEC for our environment. We have 200 windows servers all over the US that need to be monitored. I successfully installed the server on a ubuntu machine and, as a test, I installed the agent on a Windows box. As part of the installation, I created a key from the OSSEC server and copied it to the agent during installation using msi. Everything works after some headbanging.

Now, I have to do install the agent for 200 servers. Do I have to generate a unique key for each 200 agents as part of installation by going to the OSSEC server each time? I certainly hope not (I have tears in my eyes). Is there a fast way to install the agent without keep extracting key from the server? Those who will be helping me to install the agents do not have access to the OSSEC server. Is there like a "bulk key generated?" Thanks in advance.

Answer 1

I would recommend using ossec-authd https://www.ossec.net/docs/docs/manual/agent/agent-auth.html

Once you configure authd on the server you can use port 1515(default port) over TCP to kind of automate it. You can also create a file called "authd.pass" within /var/ossec/etc on your ossec server. This file will need to contain a 32 character password and then you will need to kill the ossec-authd pid and start it again to reflect changes. You may want to add the -i flag to ossec-authd as well to preserve the IP address instead of having it say "hostname ossec-agent01 | IP: ANY" it will say "hostname ossec-agent01 | IP: 192.168.1.10" for example.

Using authd with a password you could then use something like SCCM/ansible or anything else you may use to then say 'c:\program files\ossec-agent\agent-auth.exe -m ossec_server_ip -p authd_port -P password' to connect each server to the ossec server.