First steps¶
In this documentation you will find the instructions to add a new agent, and to configure it to report to your OSSEC/Wazuh manager. For more information on OSSEC HIDS configuration options, please go to the project documentation, or the reference manual.
Add a new agent¶
On your OSSEC manager, run /var/ossec/bin/manage_agents:
$ /var/ossec/bin/manage_agents
You will then be presented the options shown below. Choose “A” to add an agent”:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
You need to type a name for the agent, an IP address and an ID:
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: agent-name
* The IP Address of the new agent: 10.0.0.1
* An ID for the new agent[001]:
Agent information:
ID:001
Name:agent-name
IP Address:10.0.0.1
Confirm adding it?(y/n): y
Note
The agent IP address should always match the one the agent will be connected from. If unsure you can use any. As well you could inspect your network traffic with tcpdump, to see IP headers of incoming packets.
Now you have to extract the agent’s key, which will be displayed on the screen. See below an example:
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:e
Available agents:
ID: 001, Name: agent-name, IP: 10.0.0.1
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
MDAxIFRlc3RBZ2V0biAxMTEuMTExLjExMS4xMTEgY2MxZjA1Y2UxNWQyNzEyNjdlMmE3MTRlODI0MTA1YTgxNTM5ZDliN2U2ZDQ5MWYxYzBkOTU4MjRmNjU3ZmI2Zg==
** Press ENTER to return to the main menu.
Now copy the key (the whole line ending in ==), because you’ll have to import it on the agent.
Agent configuration on Linux¶
Your agent needs to have the IP address of your manager, in order to know where to send the data. Please check your agent configuration file, which is located at /var/ossec/etc/ossec.conf, and set the server-ip to the right value:
<ossec_config>
<client>
<server-ip>XXX.XXX.XXX.XXX</server-ip>
</client>
Now you can run manage_agents (remember we are on your agent system, not on the manager), and paste the previously copied key:
$ /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): MDAxIFRlc3RBZ2V0biAxMTEuMTExLjExMS4xMTEgY2MxZjA1Y2UxNWQyNzEyNjdlMmE3MTRlODI0MTA1YTgxNTM5ZDliN2U2ZDQ5MWYxYzBkOTU4MjRmNjU3ZmI2Zg==
Agent information:
ID:001
Name:agent-name
IP Address:10.0.0.1
Confirm adding it?(y/n): y
Now your agent has been properly added. You can restart it running:
$ /var/ossec/bin/ossec-control restart