How to Install OSSEC HIDS on Debian 13

By Anurag Singh

Updated on Jan 20, 2026

How to Install OSSEC HIDS on Debian 13

In this tutorial, we'll learn how to install and use OSSEC HIDS on Debian 13 with manager and agent.

What is OSSEC?

OSSEC is a powerful open-source Host Intrusion Detection System (HIDS). We use it to monitor file changes, analyze logs, detect rootkits, and identify suspicious activity across Linux servers. This guide explains how we install OSSEC on Debian 13, configure a manager and agent, and deploy everything correctly.

Prerequisites

Before we start, let’s ensure we have:

  • A Debian 13 dedicated server or KVM VPS.
  • We need 2 servers, one for manager and one for agent.
  • Root or sudo privileges

How to install OSSEC HIDS on Debian 13 with manager and agent.

Step 1 - Update the Debian system

We begin by ensuring the system is fully updated.

sudo apt update && sudo apt -y upgrade

Step 2 - Install required dependencies

OSSEC is installed from source, so we need development tools and libraries.

sudo apt -y install build-essential make gcc wget tar \
libpcre2-dev zlib1g-dev libssl-dev systemd-dev libsystemd-dev

The package systemd-dev is required so OSSEC can compile with systemd support.

Step 3 - Download OSSEC

On the server that will act as the OSSEC Manager:

cd /tmp
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.8.0.tar.gz -O ossec.tar.gz
tar -xzf ossec.tar.gz
cd ossec-hids-3.8.0

Installing OSSEC Manager

Step 4 - Run OSSEC installer (Manager)

Start the installation process:

sudo ./install.sh

When prompted:

  • Choose server as installation type
  • Accept default installation directory /var/ossec
  • Configure email alerts if required

- Do you want to add more IPs to the white list? (y/n)? [n]: y
   - IPs (space separated): <Your Agent IP>

Once the installer finishes, OSSEC Manager will be installed.

Step 5 - Configure Firewall on Manager

OSSEC agents communicate with the manager over UDP port 1514 and optionally TCP port 1515 for enrollment.

Allow these ports on Debian firewall:

sudo ufw allow 1514/udp
sudo ufw allow 1515/tcp
sudo ufw reload

Step 6 - Add Agent to Manager

Before starting OSSEC services, we must register any agents that will connect to this manager.

On the OSSEC Manager, run:

sudo /var/ossec/bin/manage_agents

Follow these steps:

  • Select (A) Add agent
  • Enter agent name
  • Enter agent IP address
  • Save the agent

Next, extract the agent key:

  • Select (E) Extract key
  • Choose the agent
  • Copy the displayed key

This key will be used on the agent server.

Step 7 - Create systemd service on Manager

Create a service file so OSSEC starts automatically.

sudo nano /etc/systemd/system/ossec.service

Add the following:

[Unit]
Description=OSSEC HIDS Manager
After=network.target

[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable and start OSSEC Manager:

sudo systemctl daemon-reload
sudo systemctl enable ossec
sudo systemctl start ossec

Verify status:

sudo /var/ossec/bin/ossec-control status

Installing OSSEC Agent on Debian 13

Now we configure another Debian 13 system as an OSSEC agent.

Step 8 - Install OSSEC on Agent

On the agent machine, install required packages:

sudo apt update
sudo apt -y install build-essential make gcc wget tar \
libpcre2-dev zlib1g-dev libssl-dev systemd-dev libsystemd-dev

Download OSSEC:

cd /tmp
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.8.0.tar.gz -O ossec.tar.gz
tar -xzf ossec.tar.gz
cd ossec-hids-3.8.0

Run installer:

sudo ./install.sh

This time choose:

  • Installation type: agent
  • 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <Your Manager IP>

Step 9 - Import Agent Key

Before starting the agent, we must import the key generated on the manager.

Run on the agent machine:

sudo /var/ossec/bin/manage_agents

Choose:

  • (I) Import key
  • Paste the key copied from the manager

Exit the tool once the key is successfully imported.

Step 10 - Configure Manager IP on Agent

Edit the agent configuration:

sudo nano /var/ossec/etc/ossec.conf

Ensure the following block exists:

<client>
  <server-ip>MANAGER_IP_ADDRESS</server-ip>
</client>

Replace MANAGER_IP_ADDRESS with the real IP address of the OSSEC manager.

Step 11 - Create systemd service on Agent

Create a service file on the agent:

sudo nano /etc/systemd/system/ossec.service

Add:

[Unit]
Description=OSSEC Agent
After=network.target

[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable ossec
sudo systemctl start ossec

Step 12 - Verify Agent Connection

On the OSSEC Manager, confirm the agent is connected:

sudo /var/ossec/bin/agent_control -l

The agent should appear in the list as active.

Step 13 - Basic Firewall Configuration on Agent

Normally agents only send outbound traffic, but we allow OSSEC traffic for safety.

sudo ufw allow 1514/udp
sudo ufw reload

Final Verification

On both manager and agent systems we can confirm OSSEC is running:

sudo /var/ossec/bin/ossec-control status

All OSSEC components should be listed as running without errors.

Conclusion

We have successfully installed OSSEC HIDS on Debian 13, configured a central manager, added an agent, and enabled OSSEC to run as a system service. With correct agent registration and firewall configuration, OSSEC operates smoothly to monitor servers and detect security events.

This setup provides a strong foundation for host-based security monitoring in Debian environments and helps us maintain better visibility and protection across our infrastructure.

HostMyCode shared hosting Ad

Featured Category

All Categories

Latest Chapters