OSSEC - Adding agent to the server
·2 mins
Summary: How to add agent to the server in OSSEC server-agent setup using manage_agents bin
Step 1: Add agent on the server #
[email protected]: ~# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,L,R or Q: A
- Adding a new agent (use ‘q’ to return to main menu).
Please provide the following:
* A name for the new agent: client0001
* The IP Address for the new agent: 192.168.1.2
* An ID for the new agent[001]:
Agent information:
ID:001
Name:client0001
IP Address:192.168.1.2
Confirm adding it?(y/n): y
Added.
Step 2: Extract key #
[email protected]: ~# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,L,R or Q: E
Available agents:
ID: 001, Name: agent0001, IP: 192.168.1.2
Provide the ID of the agent you want to extract the key: 001
Agent key information for ‘001′ is:
MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==
** Press ENTER to continue
Step 3: Add key to agent #
[email protected]: ~# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: I
* Provide the Key generated from the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDE3IE5OLVVLIDU0LjFkNmExNWJiNzUyNjA2NGJlMTc5NDQ4YTgzMQ==
Agent information:
ID:001
Name:server0001
IP Address:192.168.1.2
Confirm adding it?(y/n): y
Added.
** Press ENTER to continue.
Done #
- OSSEC agent in agent0001 should be able to connect to the server now (maybe server need to be restarted first? no sure)
- If not, check these few things:
- Is server IP correct in agent’s ossec.conf?
<client>
<server-ip>192.168.1.1</server-ip>
</client>
- Is the agent’s external IP match the one you enter in step 1?
- You can check using
curl icanhazip.com
- If you server have multiple IP, you might need to add a static route to route traffic to the server via that sepcific IP
- You can check using