OSSEC is an open source host-based intrusion detection system that can be used to keep track of servers activity. It supports most operating systems such as Linux, FreeBSD, OpenBSD, Windows, Solaris and much more. It is used to monitor one server or multiple servers in server/agent mode and give you a real-time view into what’s happening on your server. OSSEC has a cross-platform architecture that enables you to monitor multiple systems from centralized location.
First, you will need to update your system with the latest stable version. You can do this with the following command:
apt-get update -y
First we will install the necessary packages to build OSSEC from sources.
sudo apt install build-essential gcc make unzip sendmail inotify-tools expect libevent-dev libpcre2-dev libz-dev libssl-dev -y
First, download the latest version of the OSSEC from GitHub repository with the following command:
sudo wget -P /opt https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
The above command will download the OSSEC sources into the /opt directory. Before building those we need to extract them from the tarball. We’ll use the next command:
sudo tar -zxf /opt/3.7.0.tar.gz --directory /opt
Once downloaded and uncompressed we can start the installation process. Very conveniently there is an script already incorporated on the program for this task. We launch this installer.
sudo sh /opt/ossec-hids-3.7.0/install.sh
This will trigger the script which will first ask a few questions and then it will build and install OSSEC in our system.
In the following installation choose local to monitor the server it has been installed.
Once the installation is completed, start OSSEC with the following command:
/var/ossec/bin/ossec-control start
The default configuration of OSSEC works fine. The OSSEC mail configuration file is located inside /var/ossec/etc/ directory.
Now, open the OSSEC main configuration file ossec.conf using the following command:
nano /var/ossec/etc/ossec.conf
Add the <alert_new_files> tag so OSSEC will look for new files. Also specify the directory you want to monitor with the following tag <directories check_all="yes">. You can also adjust the frequency OSSEC checks (time in seconds).
<directories check_all="yes">/path/</directories>
Just adding the folder usually won’t trigger alerts, so if you want alerts you’ll have to edit a rule.
nano /var/ossec/rules/local_rules.xml
Add the text below within the tag <group name="local,syslog,">.
OSSEC can be configured in any way you want, just try to explore as much as you can and read official documentation.
