Category Archives: Linux

OSSEC Agent installation in Linux Step by Step

OSSEC Agent Installation on Linux 

Step 1

Download the ossec agent and issue the below command

tar xf ossec-hids-2.8.1.tar.gz

 Step 2

It will be unpacked into a directory called ossec-hids-2.8.1.                 Go to that directory.

cd ossec-hids-2.8.1/

 Step 3

Then start the installation.

Select agent mode while OSSEC installation on  server machines and end hosts.





Step 4

Set the configuration path (/var/ossec is by default)




Step 5

Enter the IP address of the OSSEC server/manager (Example:




Step 6

Enable Integrity check feature of OSSEC in client mode.



Step 7

Enable the rootkit detection and active response features







Step 8

Press “Enter” button to start installation process.





Step 9

Following window shows the start/stop scripts and configuration path for OSSEC. Press “Enter” button to complete the installation process.







Step 10

Add Agent to Server and Extract Its Key

On the OSSEC server, start the process of adding the agent.


You will then be presented the options shown below. Choose “A” to add an agent.

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.Choose your action: A,E,L,R or Q: A

Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server.

For the ID, you may accept the default by pressing ENTER.

When you enter all three fields, enter y to confirm.

- Adding a new agent (use '\q' to return to the main menu).  Please provide the following:   * A name for the new agent: agentUbuntu   * The IP Address of the new agent: your_agent_ip   *
An ID for the new agent[001]:Agent information:   ID:001
IP Address: Confirm adding it?(y/n): y

Agent added.

Step 11

 After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, Make sure you copy it, because you’ll have to enter it for the agent.

... Choose your action: A,E,L,R or Q: e

Available agents:   ID: 001,

Name: agentUbuntu,


Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw **
Press ENTER to return to the main menu.

Step 12

After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.

... Choose your action: A,E,L,R or Q: q 
** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..

Step 13

Import The Key From Server to Agent

This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:

sudo su

Then type:


You’ll be presented with these options:

   (I)mport key from the server (I).   (Q)uit.
Choose your action: I or Q: i

After typing the correct option, follow the directions to copy and paste the key generated from the server.

Agent information:   ID:001   Name:test   IP Address: Confirm adding it?(y/n): y

Added.** Press ENTER to return to the main menu.

Back to the main menu, type q to quit:

Choose your action: I or Q: q

This completes the agent installation in Linux.

Share this: