Hi Vipin,
Prior to connect to the manager, agents must be registered onto it. For example, let the manager's IP be 1.1.1.1 and the agent's IP be 2.2.2.2.
In first place, use
/var/ossec/bin/manage_agents to add an agent. Choose an arbitrary name for it, then you'll be asked for the agent's IP. If the agent's IP will always be the same (2.2.2.2), write it; else, if the agent's IP is dynamic or can change, write "
any" as the IP. The manager will reject an agent if its IP doesn't match with the registered IP (unless it is "any").
When the agent is registered, use the option E (at
manage_agents) to extract the agent's key. After, go to the agent and run
/var/ossec/bin/manage_agents, in this cas you'll see that there's no option to add an agent but you can import (option I) a key. Select that option and paste the key that you extracted from the manager.
You can get more information about agents management at:
http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html.
Now, restart the manager (in order to reload the agents' keys) and the agent. You should get a message at the log such:
2016/11/07 10:55:27 ossec-agentd(4102): INFO: Connected to the server (1.1.1.1:1514).The manager should trigger this alert:
** Alert 1478512792.55161: mail - ossec,pci_dss_10.6.1,
2016 Nov 07 10:59:52 (CentOS) 2.2.2.2->ossec
Rule: 501 (level 3) -> 'New ossec agent connected.'
ossec: Agent started: 'CentOS->2.2.2.2'.A common error is that the agent was no registered with the proper IP, or the key is not correctly imported into the agent. In this case, the manager's log would print messages like:
2016/11/07 10:28:18 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'.
or:
2016/11/07 10:59:06 ossec-remoted(1408): ERROR: Invalid ID 003 for the source ip: '2.2.2.2'.If you see those messages, check the previous steps. But if no message appears in the manager, packages may not be arriving to the server, so use tools such
netstat or
tcpdump to check your network. By default, OSSEC uses the port 1514/UDP.
Hope it helps.
Kind regards,
Victor.