Linux Administrator

How to install and configure OSSEC Client/Agent Mode on Linux

OSSEC agent is a small program. Agent installed on the system to be monitored. It collects all information and forward it to the server for analysis and correlation. It also collect some information in real-time and others periodically. By default it has a very small memory and CPU footprint and not affecting the system’s usage and memory.

In this tutorial I am going to install and configure OSSEC Client/Agent mode on system.

To install or know about OSSEC Server mode refer our previous article.

Installing OSSEC Server mode on Linux and UNIX System

Client/Agent Mode

Follow the below steps to install OSSEC client/agents on server.

Server IP :-
Client/Agent IP :-

# yum install gcc
# cd /root/download/
# wget
--2017-02-06 04:19:23--
Connecting to||:80... connected.

Now extract the OSSEC compress file and run the file.

# tar -zxvf ossec-hids-2.8.1.tar.gz
# cd ossec-hids-2.8.1
# ls
BUGS CONFIG CONTRIBUTORS INSTALL LICENSE active-response contrib doc etc src

# ./
which: no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin)

** Para instalação em português, escolha [br].
** ?????????, ??? [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** G?a e??at?stas? sta ????????, ep????te [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvu telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** ?????????????.???????.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** ??? ?????????? ?? ????????? ?? ??????? ,??????? [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: [Press Enter]

Select Language default is English.

Next it will show the system detail, system user and host-name.

OSSEC HIDS v2.8 Installation Script -

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to [email protected] (or [email protected]).

- System: Linux 2.6.32-042stab111.12
- User: root
- Host:
-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

Now main part start from here to install OSSEC Client/Agents mode.

Select installation modes and type of OSSEC on the system.

-- Press ENTER to continue or Ctrl-C to abort. -- [Press Enter]

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent

Set the configurations path /var/ossec is default.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]: [Press Enter]

- Installation will be made at /var/ossec .

Enter the server IP address (

3- Configuring the OSSEC HIDS.

3.1- What's the IP Address or hostname of the OSSEC HIDS server?:

- Adding Server IP

Now enable integrity check for agent.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

Next enable rootkit detection, active response and syslog.

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4 - Do you want to enable active response? (y/n) [y]: y

3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at .

--- Press ENTER to continue ---

Press “enter” to start installation process.

5- Installing the system
- Running the Makefile
INFO: Little endian set.

*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
make[1]: Entering directory `/root/download/ossec-hids-2.8.1/src/external'
cd zlib-1.2.8/; ./configure; make libz.a;
Checking for gcc...
Checking for shared library support...
Building shared library with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
make[2]: Entering directory `/root/download/ossec-hids-2.8.1/src/external/zlib-1.2.8'
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c

Next it show some information like OS Detail Start and Stop OSSEC scripts and OSSEC configurations file.

- System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at [email protected] or using our public maillist at
[email protected]
( ).

More information can be found at

--- Press ENTER to finish (maybe more information below). ---

Press “Enter” to finish the OSSEC Client/Agent installation part.

- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:


More information at:

Now Client/Agent side installation is done.

Connecting Server and Agent

After installing OSSEC agent successfully on the system now you have to connect it to server. Follow the below steps to connecting server and client.

Server Side Configuration

Adding an client :- Follow the below command to add client.

# /var/ossec/bin/manage_agents

You will need to type a to add an agent.

* OSSEC HIDS v2.8.1 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: OSSEC-Client
* The IP Address of the new agent:
* An ID for the new agent[001]:
Agent information:
IP Address:

Confirm adding it?(y/n): y

Agent added.

Extract the key for an angent

* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: e

Available agents:
ID: 001, Name: OSSEC-Client, IP:
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:

** Press ENTER to return to the main menu.

Now copy the Agent Information Key to enter it for the agent.

Agent Side Configuration

Follow the below steps to add agent to server.

# /var/ossec/bin/manage_agents

Type i for import key from the server.

* OSSEC HIDS v2.8.1 Agent manager. *
* The following options are available: *
(I)mport key from the server (I).
Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.


Agent information:
IP Address:

Confirm adding it?(y/n): y
** Press ENTER to return to the main menu.

Restart OSSEC Server and Agent

# /var/ossec/bin/ossec-control restart

Check Active Agents List

# /var/ossec/bin/list_agents -c

OSSEC-Client- is active.

I hope this article will be helpful to Install and Configure OSSEC Agent/Client on Linux and UNIX System. Read our another article Check level of traffic on website using command line with apache access log and Finding causes of heavy usage on web server using access log. If you have any queries and problem please comment in comment section or you can also ask your question.


Thank you! for visiting LookLinux.

If you find this tutorial helpful please share with your friends to keep it alive. For more helpful topic browse my website To become an author at LookLinux Submit Article. Stay connected to Facebook.

About the author


Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

1 Comment

  • Hello, I coudn’t start the ossec service in client using the command #service ossec-hids start and I haved added the agent in server, but its showing “** No agent available”

Leave a Comment