Managing OSSEC Agents

  13 Jun 2016


Managing Agents

In order to add any agent to your OSSEC server (the manager), you have to manage it via manage_agents tool provided in manager host. The steps are as the following:

  • First, run manage_agents on the OSSEC server.

      manager$ manage_agents
    
      ****************************************
      * OSSEC HIDS v2.8.3 Agent manager.     *
      * The following options are available: *
      ****************************************
         (A)dd an agent (A).
         (E)xtract key for an agent (E).
         (L)ist already added agents (L).
         (R)emove an agent (R).
         (Q)uit.
      Choose your action: A,E,L,R or Q:
    
  • Choose Add an agent.

      ****************************************
      * OSSEC HIDS v2.8.3 Agent manager.     *
      * The following options are available: *
      ****************************************
         (A)dd an agent (A).
         (E)xtract key for an agent (E).
         (L)ist already added agents (L).
         (R)emove an agent (R).
         (Q)uit.
      Choose your action: A,E,L,R or Q: A
    
      - Adding a new agent (use '\q' to return to the main menu).
        Please provide the following:
         * A name for the new agent: lb1
         * The IP Address of the new agent: 172.168.0.1
         * An ID for the new agent[001]:
      Agent information:
         ID:001
         Name:agent1
         IP Address: 172.168.0.1
    
      Confirm adding it?(y/n): y
      Agent added.
    
  • Extract the key for the agent. manager$ manage_agents

      ****************************************
      * OSSEC HIDS v2.8.3 Agent manager.     *
      * The following options are available: *
      ****************************************
         (A)dd an agent (A).
         (E)xtract key for an agent (E).
         (L)ist already added agents (L).
         (R)emove an agent (R).
         (Q)uit.
      Choose your action: A,E,L,R or Q: E
    
      Available agents:
         ID: 001, Name: agent1, IP: 172.168.0.1
      Provide the ID of the agent to extract the key (or '\q' to quit): 001
    
      Agent key information for '001' is:
      pKLFgQKBgDf8Wj4aANZXzDDaPeuP/7RRLWFigfGVL2wrYnE0xffBgTaEacluFRmzURakFqKjMpWLxqxURmGJfLUDiia43W/0zGjGzVYp3CJQwQd43Dv8MHtx2CjJr4C7
    
  • Copy the key information from the manager, run manage_agents on the agent, choose Import and pasted in the key into agent:

      agent1$ manage_agents
    
      ****************************************
      * OSSEC HIDS v2.8.3 Agent manager.     *
      * The following options are available: *
      ****************************************
         (I)mport key from the server (I).
         (Q)uit.
      Choose your action: I or Q: I
    
      * Provide the Key generated by the server.
      * The best approach is to cut and paste it.
      *** OBS: Do not include spaces or new lines.
    
      Paste it here (or '\q' to quit): pKLFgQKBgDf8Wj4aANZXzDDaPeuP/7RRLWFigfGVL2wrYnE0xffBgTaEacluFRmzURakFqKjMpWLxqxURmGJfLUDiia43W/0zGjGzVYp3CJQwQd43Dv8MHtx2CjJr4C7
    
      Agent information:
         ID:001
         Name:agent1
         IP Address:172.168.0.1
    
      Confirm adding it?(y/n): y
      Added.
      ** Press ENTER to return to the main menu.
    
  • Restart the manager’s OSSEC processes (Ensure you restart ossec manager before the agent)

     manager$ ossec-control restart
    
  • Later on, restart the agent.

     agent1$ ossec-control restart
    

If everything went ok, you should see agent1 as one connected agent in the list.

manager$agent_control -lc

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: ossec (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: agent1, IP: 172.168.0.1, Active

For the debugging purpose, please find the information in log file where it stores at /var/ossec/logs/ossec.log

comments powered by Disqus