OSSEC installation guide

 

SSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

The official document link: http://www.ossec.net/doc/index.html

 

 

How to install OSSEC

Download the latest version

[plain] 

#wget http://www.ossec.net/files/ossec-hids-2.7.1-beta-1.tar.gz  

 

 

Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).

[plain] 

# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)  

# cd ossec-hids-*  

# ./install.sh  

 

 

Follow the installation prompts and complete all steps.

Install Server on server host.

Install Agent on client host.

 

 

The configuration part

 

Add client agent into Server host.

On server machine type command. 

[plain] 

#/var/ossec/bin/manage_agents  

Select "A" to enter into add agent menu, and input the agent name and IP.

Back to main menu and select "E" option for extract key for client agent.

Copy the Key to somewhere save for agent machine.

On agent machine side. 

[plain] 

#/var/ossec/bin/manage_agents  

Select "I" option for import the key which just extracted from server machine.

You are all set now!

 

 

Some simple command examples.

Check the status of your agents

[html] 

#/var/ossec/bin/agent_control -lc  

or

[plain] 

#/var/ossec/bin/agent_control -i agentID  

 

Check the latest log status

[plain] 

# tail -F /var/ossec/logs/ossec.log  

 

Start/Stop OSSEC process

[plain] 

#/var/ossec/bin/ossec-control start/stop  

 

Manage agent main menu

[plain] 

#/var/ossec/bin/manage_agents  

 

Issues：

There is a bug in official build 2.7 that the agents disconnect after a few minutes.  for resolve it, you may need to upgrade to version 2.7.1 beta.