Compiling the OSSEC Windows Agent on Windows

Most people that use the OSSEC Windows agent download a pre-compiled copy from the OSSEC site. While that is a good option for many individual users, it may not suit those with more specific needs and/or those in enterprise environments. Users who fall into those categories could benefit from customizing the agent and maintaining internal builds in order to suit their individual needs.

There are already instructions on how to compile the Windows agent on Linux, but ironically the process doesn’t work so well on Windows. I had a need to make this work on Windows, so I thought I would share the process with you.

First, there are some prerequisites.  You’ll need:

Here are the steps:

  1. Download and install the required programs. Be sure to pay special attention to the steps for properly installing and configuring MinGW, particularly the part about modifying the PATH environment variable.
  2. Next, we’re going to extract OSSEC using 7-Zip. To do so, simply right-click on the file and select 7-Zip, extract to “folder name.tar,” where folder name is the name of the package. This decompresses the archive. Navigate within that folder and repeat this step to untar the archive. At this point, you should see all of the files in the package.
  3. Place gen_win.txt in the src\win32 folder and rename the extension to .cmd.
  4. Download Unix2DOS and place it in the src\win32 folder
  5. Open a command prompt. Navigate to src\win32, make any desired customizations, and execute gen_win.cmd. This should gather all of the required files and place them in src\win-pkg.
  6. Next, we compile the Windows agent by navigating to src\win-pkg and executing make.bat (I assume you have the chops to know how to change directories :) ).
  7. Now we have all of the files we need but no way to effectively install it. To generate the installer, simply execute the NSIS compiler like so: “c:\Program Files\NSIS\makensis.exe” ossec-installer.nsi

If you see no errors and a binary named ossec-win32-agent.exe, everything was successful. Congratulations, you now have a custom-made version of OSSEC!

Posted in Intrusion Detection, Log Analysis, Log Management Tagged with:
3 comments on “Compiling the OSSEC Windows Agent on Windows
  1. Nathaniel says:

    Thanks for this post Micheal – I was wondering how I could recompile the manage_agents.exe to compensate for it’s prompting (Y/N) when using the -i switch.
    Discussion here:

  2. Colin says:

    When I follow these instructions I get the error:

    File: “ossec-lua.exe” -> no files found

    This is not surprising since there is nothing in make.bat that appears to attempt to compile it and it and an associated program. A quick glance at reveals additional statements:

    cd lua
    make -f Makefile.mingw mingw
    cd ../
    cp lua/ossec-lua.exe ossec-lua.exe
    cp lua/ossec-luac.exe ossec-luac.exe

    Sadly they don’t work as mingw produces an error and lauxlib.c has an error on line 229 which says that there is no such file as sys/wait.h. Commenting that line out results in warnings but compilation fails later in loadlib.c when it also complains about dlfn.h not being found.

    I don’t know what ossec-lua is supposed to do, perhaps it is not needed and shouldn’t be included in ossec-installer.nsi.

1 Pings/Trackbacks for "Compiling the OSSEC Windows Agent on Windows"
  1. […] This post was mentioned on Twitter by – the Blog!. – the Blog! said: Compiling the OSSEC Windows Agent on Windows #Security […]

Leave a Reply

Your email address will not be published. Required fields are marked *