OSSEC installation guide

SSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.

The official document link: http://www.ossec.net/doc/index.html

How to install OSSEC

1. Download the latest version
   

   #wget http://www.ossec.net/files/ossec-hids-2.7.1-beta-1.tar.gz

   
   
   
2. Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).
   

   # tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
   # cd ossec-hids-*
   # ./install.sh

   
   
   
3. Follow the installation prompts and complete all steps.
   Install Server on server host.
   Install Agent on client host.
   

The configuration part

Add client agent into Server host.

• On server machine type command. 

  #/var/ossec/bin/manage_agents

• Select "A" to enter into add agent menu, and input the agent name and IP.
  
• Back to main menu and select "E" option for extract key for client agent.
  
• Copy the Key to somewhere save for agent machine.
  
• On agent machine side. 

  #/var/ossec/bin/manage_agents

• Select "I" option for import the key which just extracted from server machine.

You are all set now!

Some simple command examples.

1. Check the status of your agents
   

   #/var/ossec/bin/agent_control -lc

   or
   

   #/var/ossec/bin/agent_control -i agentID

   
   
2. Check the latest log status
   

   # tail -F /var/ossec/logs/ossec.log

   
   
3. Start/Stop OSSEC process
   

   #/var/ossec/bin/ossec-control start/stop

   
   
4. Manage agent main menu
   

   #/var/ossec/bin/manage_agents

   
   

Issues：

There is a bug in official build 2.7 that the agents disconnect after a few minutes.  for resolve it, you may need to upgrade to version 2.7.1 beta.