This one could bit a bit fiddly (due to many different version of the OS, i.e. of the agent itself) - so I decided to write an article about it.

OK, let's get started...

  1. update the host system and open a terminal window
  2. get (the latest) OSSEC version: wget https://github.com/ossec/ossec-hids/archive/3.1.0.tar.gz
  3. untar the package:  tar zxvf 3.1.0.tar.gz
  4. change the working directory: cd ossec-hids-3.1.0
  5. elevate and start the installation script: sudo ./install.sh 
  6. type en (to choose English), press Enter
  7. choose agent (if you want to install an agent - and this article is about this type of installation only)
  8. choose installation location
  9. enter the IP adress of your OSSIM server
  10. choose other options (i.e. confirm the defaults unless you have more creative ideas)
  11. press Enter again and wait until it compiles (usually for a minute or two)
  12. after the installation is finished, you should see the screen pictured below:


  1. do cd /var/ossec/bin to change the working directory (in order to complete the installation by entering the key)
  2. issue ./manage_agents and choose "I" to import the key (be careful to use the underscore / underline here and not the dash as some other guides might have told you!)
  3. go to your OSSIM GUI (Environment > Detection > Agents > choose the host and "Extract the key")
  4. copy the key to the clipboard
  5. and just paste it back into the terminal
  6. if all the info was correct, press "y" to confirm the key import and press Enter to go to the main menu
  7. press "Q" to quit the menu
  8. just issue service ossec start to start the serviice


Finally, this should be it - the agent is installed now, but you'll still have to (re)adjust the user account, i.e. the SSH (I might cover that part in an article coming soon).....



At the end, let's mention that there's plenty of documentation available at: http://www.ossec.net/docs/