Install and configure OSSEC ( Host-based Intrusion Detection System ) - By Subhash C

OSSEC is  used to meet PCI Compliance central logging and intrusion monitoring requirements with a free and self-managed solution. OSSEC monitors all types of logs such as syslog, apache, maillogs, mysql logs, ftp logs, and more.

1.     Deploying OSSEC core server:

2.       Extract the compressed OSSEC package and run the “./” script (It will guide you through the installation).

# tar -xvf ossec-hids-2.7.tar.gz 
# cd ossec-hids-2.7
# ./

The interactive installation begins and during this process it prompts for installation type either server or agent or local. However, installation path for OSSEC can be defined but by default it installs in (/var/ossec) directory. It is advised to select default settings and follow accordingly till the end of the installation. Finally, it is compiled and installed successfully according to the specification provided.

Select the language (in this example it is EN)

Select the type of installation as server

Accept the default folder, unless you want to change it:

Enable email notification by specifying the email address which will be used to send email alerts FROM:

If setup fails to determine your SMTP gateway automatically, you may specify it manually (change the IP as necessary to reflect your environment):

Enable integrity check daemon:

Enable rootkit detection daemon:

Whether or not you want to have “Active response” enabled is up to you. Although in prod environment, it can be quite risky.

We will not be using Syslog daemon feature in this example, so disable it.

OSSEC core server installation is now completed.

1.     Generating client keys

OSSEC server with the agent names in order to generate unique authentication keys required to bind the agent to the corresponding OSSEC server.

a. Firstly, create agents.TXT file containing the IPs and names separated by comma, of all target Linux Servers:,rwca1
b. Place this file to /var/ossec folder on OSSEC server.
c. Now execute the following command: /var/ossec/bin/manage_agents -f /agents.txt

1.    Start OSSEC Server

# /var/ossec/bin/ossec-control start
# /var/ossec/bin/ossec-control restart
#/var/ossec/bin/ossec-control stop

2.     Install the OSSEC Agents

Follow above server installation steps, instead of server choose type agent

            # tar -xvf ossec-hids-2.7.tar.gz 
# cd ossec-hids-2.7
# ./
Select the type of installation as agent

3.     Add Agents to OSSEC Manager

To add an agent to an OSSEC manager with manage_agents you need to follow the steps below.
  1. Run manage_agents on the OSSEC server.
  2. Add an agent.
  3. Extract the key for the agent.
  4. Copy that key to the agent.
  5. Run manage_agents on the agent.
  6. Import the key copied from the manager.
  7. Restart the manager’s OSSEC processes.
  8. Start and restart the agent.

4.     Verify successful installation of the agent

Then verify that the client has been installed successfully and communicating with the OSSEC server.

# tail –f /var/ossec/log/ossec.log

5.     Deploy OSSEC Web UI dashboard

Install PHP for OSSEC UI

#  yum install php-mysql php-devel php-gd php-pecl-memcache php-pspell php-snmp php-xmlrpc php-xml

# Start Apache:  /etc/init.d/httpd  start
# Configure Apache autostart: /sbin/chkconfig httpd on
# Restart Apache: /etc/init.d/httpd restart
Download OSSEC webUI module

# cd /var/ww/html/
# tar –xvf ossec-wui-0.8-alpha-0.tar.gz
# mv ossec-wui-0.8-alpha ossec-wui
# Switch to the ossec-wui and run
./ -  specify user and password to protect Web UI.

# Add apache user to ossec group: 
Change permissions for /var/ossec/tmp directory:
# chmod 770 /var/ossec/ tmp/
# chgrp apache  /var/ossec/tmp/
# /etcinit.d/httpd restart
# /var/ossec/bin/ossec-control restart (restart the OSSEC server)

Access the OSSEC web portal: http://your-ip-address/ossec-wui

in the above URL replace your-ip-address with ip address where you installed ossec-wui

No comments: