Know How:Server - OSSEC Wiki

How the server manages the agent(s).

The server will open port 1514 (by default) and listen for messages from the clients. Only the IP of the clients will be allowed.
Every 10 minutes, the client will send an status notification to the server. This status message contain some information about the agent system and information about the files it has on the shared directory.
The server will receive the status message, update the agent status file and check if it has any file to be sent to the agent. If it has, it will connect to the agent and send the file.
Every message will be encrypted.