Written by Pravin on October 20, 2008 – 6:23 am -

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

Installing OSSEC on Linux:

cd /tmp
wget http://www.ossec.net/files/ossec-hids-0.9-1a.tar.gz
tar xvfz ossec-hids-0.9-1a.tar.gz

Then we run the installation script:

cd ossec-hids-0.9-1a

The installation script will ask you a few questions:

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑкÑий по ÑÑÑановке на ÑÑÑÑком ,введиÑе [ru].
** Türkçe kurulum için seçin [tr].
(en/br/de/es/fr/it/jp/pl/ru/tr) [en]: <– en (or one of the other options, if you don’t want to use English)

OSSEC HIDS v0.9-1 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux server.domain.com 2.6.8-2-386
- User: root
- Host: server.domain.com

— Press ENTER to continue or Ctrl-C to abort. – <– [ENTER]

1- What kind of installation do you want (server, agent, local or help)? <– local

- Choose where to install the OSSEC HIDS [/var/ossec]: <– /var/ossec

3.1- Do you want e-mail notification? (y/n) [y]: <– y

- What’s your e-mail address? <– domain@domain.com (please enter your own email address here)

- We found your SMTP server as: mail.domain.com.
- Do you want to use it? (y/n) [y]:
<– y (normally you can accept the installer’s proposal, unless you want to use another SMTP server)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: <– y

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <– y

- Do you want to enable active response? (y/n) [y]: <–y

- Do you want to enable the firewall-drop response? (y/n) [y]: <– y

- Do you want to add more IPs to the white list? (y/n)? [n]: <– n (unless you want to whitelist more IP addresses)

3.6- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/auth.log
– /var/log/syslog
– /var/log/mail.info

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue — <– [ENTER]

- System is Linux (SysV).
- Init script modified to start OSSEC HIDS during boot.
Adding system startup for /etc/init.d/ossec …
/etc/rc0.d/K20ossec -> ../init.d/ossec
/etc/rc1.d/K20ossec -> ../init.d/ossec
/etc/rc6.d/K20ossec -> ../init.d/ossec
/etc/rc2.d/S20ossec -> ../init.d/ossec
/etc/rc3.d/S20ossec -> ../init.d/ossec
/etc/rc4.d/S20ossec -> ../init.d/ossec
/etc/rc5.d/S20ossec -> ../init.d/ossec

- Configuration finished properly.

- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). — <– [ENTER]

That’s it, OSSEC HIDS is now installed and ready to be started.

Starting And Running OSSEC HIDS:

In order to start OSSEC HIDS, we run this command:

/etc/init.d/ossec start

The output should look like this:

server1:/etc/init.d# /etc/init.d/ossec start
Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-syscheckd…

As you might have seen during OSSEC HIDS installation, the installer also created the necessary system startup links for OSSEC HIDS, so that OSSEC HIDS will be started automatically whenever you boot/reboot your system.

After OSSEC HIDS has been started, it will run silently in the background, performing log analysis, integrity checking, rootkit detection, etc. You can check that it’s running by executing

ps aux

In the output you should find something like this:

ossecm    2038  0.0  0.4  1860  792 ?        S    12:40   0:00 /var/ossec/bin/ossec-maild root      2042  0.0  0.3  1736  648 ?        S    12:40   0:00 /var/ossec/bin/ossec-execd ossec     2046  0.2  0.5  2192 1136 ?        S    12:40   0:00 /var/ossec/bin/ossec-analysisd root      2050  0.0  0.2  1592  556 ?        S    12:40   0:00 /var/ossec/bin/ossec-logcollector root      2054 12.2  0.3  1756  616 ?        S    12:40   0:05 /var/ossec/bin/ossec-syscheckd

The OSSEC HIDS log file is /var/ossec/logs/ossec.log, so you can check it to see what’s going on, e.g. with the tail command.

tail -f /var/ossec/logs/ossec.log

shows what’s happening in real-time. Press CTRL-C to leave it.

tail -n 100 /var/ossec/logs/ossec.log

shows you the last 100 lines of the OSSEC HIDS log.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Dedicated Server Hosting | 1 Comment »

One Comment to “OSSEC”

  1. wohlen Says:

    [...] is … we are getting to Wohlen (Araau) for a family meeeting and I could not lose this chance …OSSEC |OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It [...]

Leave a Comment


  • Subscribe Me

  • Tag Cloud

  • Archives