Difference between revisions of "KHIKA App for IIS WebServer"
(→Adding the device in the KHIKA) |
(→Extract key from KHIKA OSSEC Server) |
||
| Line 120: | Line 120: | ||
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server. | This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server. | ||
| + | |||
| + | == Installing OSSEC Agent for Windows == | ||
| + | |||
| + | Download OSSEC agent for Microsoft Windows from KHIKA install directory. The agent is shipped with KHIKA installer and is located on KHIKA Server in /opt/KHIKA/UTILS/OSSEC directory. For Windows you will need to select the Windows installer with filename ossec-win32-agent.zip. This works for both 32-bit and 64-bit windows servers OS versions. | ||
| + | |||
| + | Copy the downloaded installer on your Windows server (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. | ||
| + | Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin. | ||
| + | Select the installer file and Press "Run" | ||
| + | |||
| + | [[File:Win15.jpg|500px]] | ||
| + | |||
| + | Click Next | ||
| + | |||
| + | [[File:Win16.jpg|500px]] | ||
| + | |||
| + | Select "I Agree" and proceed | ||
| + | |||
| + | [[File:Win17.jpg|500px]] | ||
| + | |||
| + | Keep the default selection in the next window and click Next | ||
| + | |||
| + | [[File:Win18.jpg|500px]] | ||
| + | |||
| + | Enter the location to install the OSSEC agent on the local drive and let the installation complete | ||
| + | |||
| + | [[File:Win19.jpg|500px]] | ||
| + | |||
| + | After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your Windows Server. (Go to your Service Control Panel and check for OSSEC HIDS Service) | ||
| + | |||
| + | [[File:Win20.jpg|500px]] | ||
| + | |||
| + | NOTE :- You will have to repeat these steps on all the Windows Servers that you wish to monitor using KHIKA. | ||
Revision as of 06:00, 18 July 2019
Contents
Introduction
IIS webserver form an important part of organisations’ networks and hence by monitoring your webserver is imperative.
With KHIKA App for IIS webserver, you can :
- Monitor hundreds of IIS servers at one central place.
- Monitor and shows the http error status for accessed URL on your server.
- Monitor and shows top n URL and also shows average time taken,total time taken by particular URL on your server.
- monitor user wise total request on your servers.
We explain below steps to configure and interpret the output of KHIKA App for IIS Webserver. The key parts to get here are:
- Install the KHIKA App for IIS Webserver
- Get data from your IIS Webserver into KHIKA Aggregator
How to Install the KHIKA App for IIS WebServer?
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.
This section explains how to pick and install the KHIKA application for IIS WeServers. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured.
Go to “Applications” tab in the “Configure” menu.
Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.
Click on the “+” button next to the Windows Server App. A pop up appears.
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.
Click “Install” to proceed with the installation of the selected Application. If you have created multiple windows workspaces in KHIKA, and installed Windows App previously, you will get below pop up.
Click on OK to proceed. If this is not the case, ignore this step. After successful installation, following status should be displayed.
Click on Close button. This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.
How to get your IIS WebServer data into KHIKA ?
KHIKA recommends, popular open source OSSEC integration to monitor the Windows servers. There are 2 components in OSSEC Integration with KHIKA.
- OSSEC Agent – Installed on each Windows server which we wish to monitor
- OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)
The OSSEC agent and server communicate with each other using a unique key for encryption. The main steps to start getting data from a Windows server are
- Add the Windows server details in KHIKA
- Extract a unique key for this device from KHIKA
- Installing Ossec Agent on Windows Server
- Insert this key in the Ossec agent (ie. on your Windows server to be monitored)
- Reload Configuration in KHIKA
- Verify data collection in KHIKA
Each of these steps is explained in detail in the further sections.
Adding the device in the KHIKA
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon.
Pop up appears for device details
Click on “Add / Modify Device” tab. Another pop up appears for device details.
Enter the expected device name. Also, in the field for IP address, enter “any”. Please note : Always enter the IP Address as “any”. This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. Click on Submit. We get a success message and device is added successfully to this adaptor.
Finally, go to Workspace tab and click on “Apply Configuration” icon.
We get a confirmation message here too, saying, “Changes Applied”
Extract key from KHIKA OSSEC Server
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .
A pop up with device details of the adaptor appears. Select “List of Devices” tab.
Click on the “Get OSSEC Key” icon next to this device.
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.
Installing OSSEC Agent for Windows
Download OSSEC agent for Microsoft Windows from KHIKA install directory. The agent is shipped with KHIKA installer and is located on KHIKA Server in /opt/KHIKA/UTILS/OSSEC directory. For Windows you will need to select the Windows installer with filename ossec-win32-agent.zip. This works for both 32-bit and 64-bit windows servers OS versions.
Copy the downloaded installer on your Windows server (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin. Select the installer file and Press "Run"
Click Next
Select "I Agree" and proceed
Keep the default selection in the next window and click Next
Enter the location to install the OSSEC agent on the local drive and let the installation complete
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your Windows Server. (Go to your Service Control Panel and check for OSSEC HIDS Service)
NOTE :- You will have to repeat these steps on all the Windows Servers that you wish to monitor using KHIKA.
