How to Install and Configure OSSEC on Ubuntu Linux


OSSEC is an open source host-based intrusion detection system that can be used to keep track of servers activity. It supports most operating systems such as Linux, FreeBSD, OpenBSD, Windows, Solaris and much more. It is used to monitor one server or multiple servers in server/agent mode and give you a real-time view into what’s happening on your server. OSSEC has a cross-platform architecture that enables you to monitor multiple systems from centralized location.

First, you will need to update your system with the latest stable version. You can do this with the following command:

apt-get update -y

First we will install the necessary packages to build OSSEC from sources.

sudo apt install build-essential gcc make unzip sendmail inotify-tools expect libevent-dev libpcre2-dev libz-dev libssl-dev -y

Install OSSEC

First, download the latest version of the OSSEC from GitHub repository with the following command:

sudo wget -P /opt

The above command will download the OSSEC sources into the /opt directory. Before building those we need to extract them from the tarball. We’ll use the next command:

sudo tar -zxf /opt/3.7.0.tar.gz --directory /opt

Once downloaded and uncompressed we can start the installation process. Very conveniently there is an script already incorporated on the program for this task. We launch this installer.

sudo sh /opt/ossec-hids-3.7.0/

This will trigger the script which will first ask a few questions and then it will build and install OSSEC in our system.

In the following installation choose local to monitor the server it has been installed.

Once the installation is completed, start OSSEC with the following command:

/var/ossec/bin/ossec-control start

Configure OSSEC

The default configuration of OSSEC works fine. The OSSEC mail configuration file is located inside /var/ossec/etc/ directory.
Now, open the OSSEC main configuration file ossec.conf using the following command:

nano /var/ossec/etc/ossec.conf

Add the <alert_new_files> tag so OSSEC will look for new files. Also specify the directory you want to monitor with the following tag <directories check_all="yes">. You can also adjust the frequency OSSEC checks (time in seconds).

<directories check_all="yes">/path/</directories>

Just adding the folder usually won’t trigger alerts, so if you want alerts you’ll have to edit a rule.

nano /var/ossec/rules/local_rules.xml

Add the text below within the tag <group name="local,syslog,">.

OSSEC can be configured in any way you want, just try to explore as much as you can and read official documentation.

Alvosec is Block Producer for Proton

Download wallet and earn daily staking rewards.

vote for us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram