Deploying ossec on 1000+ Servers

by J. Edward Durrett

ossec / hids

Deploying ossec, a host based intrusion detection system, is a multi
step process. Since it is a client/server application, the ossec manager
needs to be able to communicate with the client. Keys are used for
authentication. A key for each host is generated on the manager server
and then that key needs to be imported into the client. That process
takes a few minutes and needs to be repeated on each client. Doing that
manually on each client in a large data center is not a very efficient
use of time. Even if in a smaller shop of only a couple of dozen
clients, deployment manually is way too time consuming.

This script I developed on FreeBSD automates the process:

last_id=`bin/manage_agents -l | awk '{print $2}' | sed -e 's/,/ /g' | sort -n |tail -1`
echo "The last id is:" $last_id
bin/manage_agents -f $file
/usr/local/etc/rc.d/ossec-hids restart
last_added_id=`bin/manage_agents -l | awk '{print $2}' | sed -e 's/,/ /g' | sort -n | tail -1`
echo "The last added id is:" $last_added_id
agents_added=$(($last_added_id - $last_id))
echo "The number of agents added is:" $agents_added
agent=$(($last_id + 1))
while [ $agent -le $last_added_id ]
agent_key=`bin/manage_agents -e $agent |cut -d : -f2`
agent_ip=`bin/manage_agents -l | grep $agent | awk '{print $6}'`
echo "Attempting SSH connetion ...."
printf 'y' | ssh $agent_ip -C '/usr/local/ossec-hids/bin/manage_agents -i' $agent_key
ssh $agent_ip -C '/usr/local/etc/rc.d/ossec-hids restart'
agent=$(( $agent + 1 ))

Interestingly, in sh a three digit number with a leading zero causes
problems. This syntax fixes that problem[1]:


With either of these scripts, it is possible to deploy ossec on
thousands of machines at a time. There are some assumptions, namely that
ossec is already installed and ssh is properly set up to allow for
central administration.

To use the scripts, first create a comma separated file with the ips and
names of all the servers ossec is going to be run on. Then run the
script as such:

./script file_with_ips

There is a method for running the ssh commands simultaneously on all
hosts, which greatly speeds up the process. The biggest bottle neck is
the key generation on the master server.


Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.