Skip to main content
akmalhisyam.my

OSSEC - Adding agent to the server

·2 mins

Summary: How to add agent to the server in OSSEC server-agent setup using manage_agents bin

Step 1: Add agent on the server #

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
Choose your actions: A,E,L,R or Q: A

- Adding a new agent (use ‘q’ to return to main menu).
Please provide the following:
    * A name for the new agent: client0001
    * The IP Address for the new agent: 192.168.1.2
    * An ID for the new agent[001]:
Agent information:
    ID:001
    Name:client0001
    IP Address:192.168.1.2

Confirm adding it?(y/n): y
Added.

Step 2: Extract key #

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
    (A)dd an agent (A).
    (E)xtract key for an agent (E).
    (L)ist already added agents (L).
    (R)emove an agent (R).
    (Q)uit.
Choose your actions: A,E,L,R or Q: E

Available agents:
    ID: 001, Name: agent0001, IP: 192.168.1.2
Provide the ID of the agent you want to extract the key: 001

Agent key information for ‘001′ is:
MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==

** Press ENTER to continue

Step 3: Add key to agent #

[email protected]: ~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
    (I)mport key for the server (I).
    (Q)uit.
Choose your actions: I or Q: I

* Provide the Key generated from the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==

Agent information:
    ID:001
    Name:server0001
    IP Address:192.168.1.2

Confirm adding it?(y/n): y

Added.
** Press ENTER to continue.

Done #

  • OSSEC agent in agent0001 should be able to connect to the server now (maybe server need to be restarted first? no sure)
  • If not, check these few things:
    • Is server IP correct in agent’s ossec.conf?
  <client>
    <server-ip>192.168.1.1</server-ip>
  </client>
  • Is the agent’s external IP match the one you enter in step 1?
    • You can check using curl icanhazip.com
    • If you server have multiple IP, you might need to add a static route to route traffic to the server via that sepcific IP