OSSEC - Adding agent to the server

August 04, 2016

Summary: How to add agent to the server in OSSEC server-agent setup using manage_agents bin


Step 1: Add agent on the server

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
Choose your actions: A,E,L,R or Q: A

- Adding a new agent (use ‘q’ to return to main menu).
Please provide the following:
    * A name for the new agent: client0001
    * The IP Address for the new agent: 192.168.1.2
    * An ID for the new agent[001]:
Agent information:
    ID:001
    Name:client0001
    IP Address:192.168.1.2

Confirm adding it?(y/n): y
Added.

Step 2: Extract key

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
Choose your actions: A,E,L,R or Q: E

Available agents:
    ID: 001, Name: agent0001, IP: 192.168.1.2
Provide the ID of the agent you want to extract the key: 001

Agent key information for ‘001′ is:
MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==

** Press ENTER to continue

Step 3: Add key to agent

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
    (I)mport key for the server (I).
    (Q)uit.
Choose your actions: I or Q: I

* Provide the Key generated from the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==

Agent information:
    ID:001
    Name:server0001
    IP Address:192.168.1.2

Confirm adding it?(y/n): y

Added.
** Press ENTER to continue.

Done

  • OSSEC agent in agent0001 should be able to connect to the server now (maybe server need to be restarted first? no sure)
  • If not, check these few things:
    • Is server IP correct in agent's ossec.conf?
      <client>
      <server-ip>192.168.1.1</server-ip>
      </client>
    • Is the agent's external IP match the one you enter in step 1?
      • You can check using curl icanhazip.com
      • If you server have multiple IP, you might need to add a static route to route traffic to the server via that sepcific IP