SSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems,
including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.
The official document link: http://www.ossec.net/doc/index.html
How to install OSSEC
- Download the latest version
#wget http://www.ossec.net/files/ossec-hids-2.7.1-beta-1.tar.gz - Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).
# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf) # cd ossec-hids-* # ./install.sh - Follow the installation prompts and complete all steps.
Install Server on server host.
Install Agent on client host.
The configuration part
Add client agent into Server host.
- On server machine type command.
#/var/ossec/bin/manage_agents - Select "A" to enter into add agent menu, and input the agent name and IP.
- Back to main menu and select "E" option for extract key for client agent.
- Copy the Key to somewhere save for agent machine.
- On agent machine side.
#/var/ossec/bin/manage_agents - Select "I" option for import the key which just extracted from server machine.
You are all set now!
Some simple command examples.
- Check the status of your agents
or#/var/ossec/bin/agent_control -lc#/var/ossec/bin/agent_control -i agentID - Check the latest log status
# tail -F /var/ossec/logs/ossec.log - Start/Stop OSSEC process
#/var/ossec/bin/ossec-control start/stop - Manage agent main menu
#/var/ossec/bin/manage_agents
Issues:
There is a bug in official build 2.7 that the agents disconnect after a few minutes. for resolve it, you may need to upgrade to version 2.7.1 beta.