How to install OSSEC

, ,

How to install OSSEC

Posted on: November 24, 2015 Category: News, Servers, Website Tips Comments: 0

Getting started

Q. How do you keep track of authorized and unauthorized activity on your server?

A. OSSEC is one of the best current tools to monitor any suspicious activity.

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response. It can be used to monitor one server or thousands of servers in a server/agent mode.

If properly configured, OSSEC can give you a real-time view of what’s happening on your server.

This tutorial was made to show you how to install and configure OSSEC.

What are the benefits of OSSEC?

Below is an example of an email notification from OSSEC, showing that the file /var/ossec/etc/ossec.confwas modified.

[[code]]czoyODk6XCJPU1NFQyBISURTIE5vdGlmaWNhdGlvbi4NCjIwMTQgTm92IDI5IDA5OjQ1OjE1DQoNClJlY2VpdmVkIEZyb206IGt1cnV7WyYqJl19amktJmd0O3N5c2NoZWNrDQpSdWxlOiA1NTIgZmlyZWQgKGxldmVsIDcpIC0mZ3Q7IFwiSW50ZWdyaXR5IGNoZWNrc3VtIGNoYW5nZWR7WyYqJl19IGFnYWluICgzcmQgdGltZSkuXCINClBvcnRpb24gb2YgdGhlIGxvZyhzKToNCg0KSW50ZWdyaXR5IGNoZWNrc3VtIGNoYW5nZWQgZm97WyYqJl19cjogXCcvdmFyL29zc2VjL2V0Yy9vc3NlYy5jb25mXCcNClNpemUgY2hhbmdlZCBmcm9tIFwnNzUyMVwnIHRvIFwnNzc1MlwnDQpcIjt7WyYqJl19[[/code]]

If you received such an alert, and you were not expecting that file to change, then you know that something unauthorized has happened on your server.

Here’s another example email alert from OSSEC, showing that the file /etc/ossec/testossec.txt was deleted.

[[code]]czoyOTQ6XCJPU1NFQyBISURTIE5vdGlmaWNhdGlvbi4NCjIwMTQgTm92IDI5IDEwOjU2OjE0DQoNClJlY2VpdmVkIEZyb206IGt1cnV7WyYqJl19amktJmd0O3N5c2NoZWNrDQpSdWxlOiA1NTMgZmlyZWQgKGxldmVsIDcpIC0mZ3Q7IFwiRmlsZSBkZWxldGVkLiBVbmFibGUgdG8gcmV7WyYqJl19dHJpZXZlIGNoZWNrc3VtLlwiDQpQb3J0aW9uIG9mIHRoZSBsb2cocyk6DQoNCkZpbGUgPHNwYW4gY2xhc3M9XCJoaWdobGlnaHRcIj4vZXtbJiomXX10Yy9vc3NlYy90ZXN0b3NzZWMudHh0PC9zcGFuPiB3YXMgZGVsZXRlZC4gVW5hYmxlIHRvIHJldHJpZXZlIGNoZWNrc3VtLg0KXCI7e1smKiZdfQ==[[/code]]

Again, if you did not delete the file, you should figure out what is happening on your server.

It also has more than just monitoring as we mentions before, read on to learn more.

What you will need.

This tutorial assumes you have a server with root access and a command line interface like putty available for the server.

  • Centos server
  • This tutorial is easiest to do as the root user:

[[code]]czo3Olwic3VkbyBzdVwiO3tbJiomXX0=[[/code]]

  • Installation of OSSEC involves some compiling, so you need gcc and make installed. You can install both by installing a single package called build-essential
  • You also need to install a package called inotify-tools, which is required for real-time alerting to work.

To install all required packages, first update the server:

[[code]]czoxNjpcImFwdC1nZXQgdXBkYXRlDQpcIjt7WyYqJl19[[/code]]

Then install the packages:
[[code]]czo0NzpcImFwdC1nZXQgaW5zdGFsbCBidWlsZC1lc3NlbnRpYWwgaW5vdGlmeS10b29scw0KXCI7e1smKiZdfQ==[[/code]]

Download

In this step, you’ll download the OSSEC tarball and a file containing its cryptographic checksums.

Since this a security article, we’re going to do a little extra work to verify that we’re installing valid software. The idea is that you generate the MD5 and SHA1 checksums of the downloaded OSSEC tarball and compare them with those in the checksum file. If they match, then you can assume that the tarball has not been tampered with.

[[code]]czo5MjpcIndnZXQgLVUgb3NzZWMgaHR0cDovL3d3dy5kb3dubG9hZHNwb3QuY29tL3dwLWNvbnRlbnQvdXBsb2Fkcy8yMDE1LzExL297WyYqJl19c3NlYy1oaWRzLTIuOC4yLnRhci5nelwiO3tbJiomXX0=[[/code]]

Install

OSSEC can be installed all servers and VPS systems.

Before installation can start, you have to untar the file. You do that by typing:

[[code]]czozNDpcInRhciAtenhmIG9zc2VjLWhpZHMtMi44LjIudGFyLmd6DQpcIjt7WyYqJl19[[/code]]

Now you should have a directory named ossec-hids-2.8.2. To start installation, you have to change (cd) into that directory:
[[code]]czoyMTpcImNkIG9zc2VjLWhpZHMtMi44LjINClwiO3tbJiomXX0=[[/code]]

The only file of interest to us in that listing is install.sh. That’s the OSSEC installation script. To start the installation, type:
[[code]]czoxNDpcIi4vaW5zdGFsbC5zaA0KXCI7e1smKiZdfQ==[[/code]]

You will have to answer some installation questions now.

The correct entries to use are shown in red.

So if your language is English, press ENTER. Otherwise, type the two letters for your language and press ENTER.

[[code]]czo1ODpcIiAgKGVuL2JyL2NuL2RlL2VsL2VzL2ZyL2h1L2l0L2pwL25sL3BsL3J1L3NyL3RyKSBbZW5dOg0KDQpcIjt7WyYqJl19[[/code]]

After selecting the language, you should see this:
[[code]]czo0MzU6XCJPU1NFQyBISURTIHYyLjggSW5zdGFsbGF0aW9uIFNjcmlwdCAtIGh0dHA6Ly93d3cub3NzZWMubmV0DQoNCiBZb3UgYXJ7WyYqJl19ZSBhYm91dCB0byBzdGFydCB0aGUgaW5zdGFsbGF0aW9uIHByb2Nlc3Mgb2YgdGhlIE9TU0VDIEhJRFMuDQogWW91IG11c3QgaGF2ZXtbJiomXX0gYSBDIGNvbXBpbGVyIHByZS1pbnN0YWxsZWQgaW4geW91ciBzeXN0ZW0uDQogSWYgeW91IGhhdmUgYW55IHF1ZXN0aW9ucyBvciBje1smKiZdfW9tbWVudHMsIHBsZWFzZSBzZW5kIGFuIGUtbWFpbA0KIHRvIGRjaWRAb3NzZWMubmV0IChvciBkYW5pZWwuY2lkQGdtYWlsLmNvbSl7WyYqJl19Lg0KDQogIC0gU3lzdGVtOiBMaW51eCBrdXJ1amkgMy4xMy4wLTM2LWdlbmVyaWMNCiAgLSBVc2VyOiByb290DQogIC0gSG9zdDoga3tbJiomXX11cnVqaQ0KDQogIC0tIFByZXNzIEVOVEVSIHRvIGNvbnRpbnVlIG9yIEN0cmwtQyB0byBhYm9ydC4gLS0NClwiO3tbJiomXX0=[[/code]]

Press ENTER and you will get:
[[code]]czoxMTk6XCIxLSBXaGF0IGtpbmQgb2YgaW5zdGFsbGF0aW9uIGRvIHlvdSB3YW50IChzZXJ2ZXIsIGFnZW50LCBsb2NhbCwgaHlicml7WyYqJl19ZCBvciBoZWxwKT8gPHNwYW4gY2xhc3M9XCJoaWdobGlnaHRcIj5sb2NhbDwvc3Bhbj4NClwiO3tbJiomXX0=[[/code]]

Type <span class="highlight">local</span> and press ENTER to get:
[[code]]czoxMzk6XCIgIC0gTG9jYWwgaW5zdGFsbGF0aW9uIGNob3Nlbi4NCg0KMi0gU2V0dGluZyB1cCB0aGUgaW5zdGFsbGF0aW9uIGVudml7WyYqJl19cm9ubWVudC4NCg0KICAtIENob29zZSB3aGVyZSB0byBpbnN0YWxsIHRoZSBPU1NFQyBISURTIFsvdmFyL29zc2VjXToNClwiO3tbJiomXX0=[[/code]]

Accept the default and press ENTER to get:
[[code]]czoxMzg6XCIgICAgLSBJbnN0YWxsYXRpb24gd2lsbCBiZSBtYWRlIGF0ICAvdmFyL29zc2VjIC4NCg0KMy0gQ29uZmlndXJpbmcgdGh7WyYqJl19ZSBPU1NFQyBISURTLg0KDQogIDMuMS0gRG8geW91IHdhbnQgZS1tYWlsIG5vdGlmaWNhdGlvbj8gKHkvbikgW3ldOg0KXCI7e1smKiZdfQ==[[/code]]

Press ENTER.
[[code]]czo4MTpcIiAgLSBXaGF0XCdzIHlvdXIgZS1tYWlsIGFkZHJlc3M/IHVzZXI8c3BhbiBjbGFzcz1cImhpZ2hsaWdodFwiPkBleGFtcGxlLmN7WyYqJl19b208L3NwYW4+DQpcIjt7WyYqJl19[[/code]]

Type the email address where you want to receive notifications from OSSEC.
[[code]]czoxMzc6XCIgIC0gV2UgZm91bmQgeW91ciBTTVRQIHNlcnZlciBhczogbWFpbC5leGFtcGxlLmNvbS4NCiAgLSBEbyB5b3Ugd2FudCB7WyYqJl19dG8gdXNlIGl0PyAoeS9uKSBbeV06DQoNCi0tLSBVc2luZyBTTVRQIHNlcnZlcjogIG1haWwuZXhhbXBsZS5jb20uDQpcIjt7WyYqJl19[[/code]]

Press ENTER unless you have a specific SMTP server setting you want to use.

Now’s time to let OSSEC know what checks it should be running. In response to any prompt from the script, accept the default by pressing ENTER.

ENTER for the integrity check daemon.

[[code]]czoxMTQ6XCIgIDMuMi0gRG8geW91IHdhbnQgdG8gcnVuIHRoZSBpbnRlZ3JpdHkgY2hlY2sgZGFlbW9uPyAoeS9uKSBbeV06DQoNCi17WyYqJl19IFJ1bm5pbmcgc3lzY2hlY2sgKGludGVncml0eSBjaGVjayBkYWVtb24pLg0KXCI7e1smKiZdfQ==[[/code]]

ENTER for rootkit detection.
[[code]]czoxMTI6XCIgIDMuMy0gRG8geW91IHdhbnQgdG8gcnVuIHRoZSByb290a2l0IGRldGVjdGlvbiBlbmdpbmU/ICh5L24pIFt5XToNCg17WyYqJl19Ci0gUnVubmluZyByb290Y2hlY2sgKHJvb3RraXQgZGV0ZWN0aW9uKS4NClwiO3tbJiomXX0=[[/code]]

ENTER for active response.
[[code]]czoxODQ6XCIgIDMuNC0gQWN0aXZlIHJlc3BvbnNlIGFsbG93cyB5b3UgdG8gZXhlY3V0ZSBhIHNwZWNpZmljIGNvbW1hbmQgYmFzZWR7WyYqJl19IG9uIHRoZSBldmVudHMgcmVjZWl2ZWQuICANCg0KICAgRG8geW91IHdhbnQgdG8gZW5hYmxlIGFjdGl2ZSByZXNwb25zZT8gKHkvbntbJiomXX0pIFt5XToNCg0KICAgQWN0aXZlIHJlc3BvbnNlIGVuYWJsZWQuDQpcIjt7WyYqJl19[[/code]]

Accept the defaults for firewall-drop response. Your output may show some IPv6 options – that’s fine.
[[code]]czoyNzE6XCIgIERvIHlvdSB3YW50IHRvIGVuYWJsZSB0aGUgZmlyZXdhbGwtZHJvcCByZXNwb25zZT8gKHkvbikgW3ldOg0KDQotIGZ7WyYqJl19aXJld2FsbC1kcm9wIGVuYWJsZWQgKGxvY2FsKSBmb3IgbGV2ZWxzICZndDs9IDYNCg0KICAgLSBEZWZhdWx0IHdoaXRlIGxpc3QgZntbJiomXX1vciB0aGUgYWN0aXZlIHJlc3BvbnNlOg0KICAgICAgLSA4LjguOC44DQogICAgICAtIDguOC40LjQNCg0KICAgLSBEbyB5b3Ugd2Fue1smKiZdfXQgdG8gYWRkIG1vcmUgSVBzIHRvIHRoZSB3aGl0ZSBsaXN0PyAoeS9uKT8gW25dOg0KXCI7e1smKiZdfQ==[[/code]]

You can add your IP address here, but it’s not necessary.

OSSEC will now present a default list of files that it will monitor. Additional files can be added after installation, so press ENTER.

[[code]]czozOTY6XCIzLjYtIFNldHRpbmcgdGhlIGNvbmZpZ3VyYXRpb24gdG8gYW5hbHl6ZSB0aGUgZm9sbG93aW5nIGxvZ3M6DQogICAgLS17WyYqJl19IC92YXIvbG9nL2F1dGgubG9nDQogICAgLS0gL3Zhci9sb2cvc3lzbG9nDQogICAgLS0gL3Zhci9sb2cvZHBrZy5sb2cNCg0KIC0gSXtbJiomXX1mIHlvdSB3YW50IHRvIG1vbml0b3IgYW55IG90aGVyIGZpbGUsIGp1c3QgY2hhbmdlDQogICB0aGUgb3NzZWMuY29uZiBhbmQgYWRke1smKiZdfSBhIG5ldyBsb2NhbGZpbGUgZW50cnkuDQogICBBbnkgcXVlc3Rpb25zIGFib3V0IHRoZSBjb25maWd1cmF0aW9uIGNhbiBiZSBhbnN7WyYqJl19d2VyZWQNCiAgIGJ5IHZpc2l0aW5nIHVzIG9ubGluZSBhdCBodHRwOi8vd3d3Lm9zc2VjLm5ldCAuDQoNCg0KICAgLS0tIFByZXNzIHtbJiomXX1FTlRFUiB0byBjb250aW51ZSAtLS0NClwiO3tbJiomXX0=[[/code]]

By this time, the installer has all the information it needs to install OSSEC. Kick back and let the installer do its thing. Installation takes about 5 minutes. If installation is successful, you are now ready to start and configure OSSEC.

Note: One reason installation might fail is if a compiler is not installed. In that case, you’ll get an error like this:

[[code]]czoxNjg6XCI1LSBJbnN0YWxsaW5nIHRoZSBzeXN0ZW0NCiAtIFJ1bm5pbmcgdGhlIE1ha2VmaWxlDQouL2luc3RhbGwuc2g6IDg1OiB7WyYqJl19Li9pbnN0YWxsLnNoOiBtYWtlOiBub3QgZm91bmQNCg0KIEVycm9yIDB4NS4NCiBCdWlsZGluZyBlcnJvci4gVW5hYmxlIHRvIGZpbntbJiomXX1pc2ggdGhlIGluc3RhbGxhdGlvbi4NClwiO3tbJiomXX0=[[/code]]

If you get that error, then you need to install build-essential, as explained in the Prerequisites section of the tutorial.

If installation succeeds, you should see this type of output:

[[code]]czo0NDc6XCIgLSBTeXN0ZW0gaXMgRGViaWFuIChVYnVudHUgb3IgZGVyaXZhdGl2ZSkuDQogLSBJbml0IHNjcmlwdCBtb2RpZmllZCB7WyYqJl19dG8gc3RhcnQgT1NTRUMgSElEUyBkdXJpbmcgYm9vdC4NCg0KIC0gQ29uZmlndXJhdGlvbiBmaW5pc2hlZCBwcm9wZXJseS4NCg0KIHtbJiomXX0tIFRvIHN0YXJ0IE9TU0VDIEhJRFM6DQogICAgICAgICAgICAgICAgL3Zhci9vc3NlYy9iaW4vb3NzZWMtY29udHJvbCBzdGFydA0Ke1smKiZdfQ0KIC0gVG8gc3RvcCBPU1NFQyBISURTOg0KICAgICAgICAgICAgICAgIC92YXIvb3NzZWMvYmluL29zc2VjLWNvbnRyb2wgc3RvcA17WyYqJl19Cg0KIC0gVGhlIGNvbmZpZ3VyYXRpb24gY2FuIGJlIHZpZXdlZCBvciBtb2RpZmllZCBhdCAvdmFyL29zc2VjL2V0Yy9vc3NlYy5jb3tbJiomXX1uZg0KDQogICAgLS0tICBQcmVzcyBFTlRFUiB0byBmaW5pc2ggKG1heWJlIG1vcmUgaW5mb3JtYXRpb24gYmVsb3cpLiAtLS0NClwiO3tbJiomXX0=[[/code]]

OSSEC is now installed. The next step is to start it.

Start OSSEC

By default OSSEC is configured to start at boot, but the first time, you’ll have to start it manually.

If you want to check its current status, type:

[[code]]czozNzpcIi92YXIvb3NzZWMvYmluL29zc2VjLWNvbnRyb2wgc3RhdHVzDQpcIjt7WyYqJl19[[/code]]

Expected output:
[[code]]czoxODY6XCJvc3NlYy1tb25pdG9yZCBub3QgcnVubmluZy4uLg0Kb3NzZWMtbG9nY29sbGVjdG9yIG5vdCBydW5uaW5nLi4uDQpvc3N7WyYqJl19ZWMtc3lzY2hlY2tkIG5vdCBydW5uaW5nLi4uDQpvc3NlYy1hbmFseXNpc2Qgbm90IHJ1bm5pbmcuLi4NCm9zc2VjLW1haWxkIG5vdHtbJiomXX0gcnVubmluZy4uLg0Kb3NzZWMtZXhlY2Qgbm90IHJ1bm5pbmcuLi4NClwiO3tbJiomXX0=[[/code]]

That tells you that none of OSSEC’s processes are running.

To start OSSEC, type:

[[code]]czozNjpcIi92YXIvb3NzZWMvYmluL29zc2VjLWNvbnRyb2wgc3RhcnQNClwiO3tbJiomXX0=[[/code]]

You should see it starting up:
[[code]]czoyMjU6XCJTdGFydGluZyBPU1NFQyBISURTIHYyLjggKGJ5IFRyZW5kIE1pY3JvIEluYy4pLi4uDQpTdGFydGVkIG9zc2VjLW1haWx7WyYqJl19ZC4uLg0KU3RhcnRlZCBvc3NlYy1leGVjZC4uLg0KU3RhcnRlZCBvc3NlYy1hbmFseXNpc2QuLi4NClN0YXJ0ZWQgb3NzZWMtbG9nY3tbJiomXX1vbGxlY3Rvci4uLg0KU3RhcnRlZCBvc3NlYy1zeXNjaGVja2QuLi4NClN0YXJ0ZWQgb3NzZWMtbW9uaXRvcmQuLi4NCkNvbXBsZXRle1smKiZdfWQuDQpcIjt7WyYqJl19[[/code]]

If you check the status again, you should get confirmation that OSSEC is now running.
[[code]]czozNzpcIi92YXIvb3NzZWMvYmluL29zc2VjLWNvbnRyb2wgc3RhdHVzDQpcIjt7WyYqJl19[[/code]]

This output shows that OSSEC is running:
[[code]]czoxODA6XCJvc3NlYy1tb25pdG9yZCBpcyBydW5uaW5nLi4uDQpvc3NlYy1sb2djb2xsZWN0b3IgaXMgcnVubmluZy4uLg0Kb3NzZWN7WyYqJl19LXN5c2NoZWNrZCBpcyBydW5uaW5nLi4uDQpvc3NlYy1hbmFseXNpc2QgaXMgcnVubmluZy4uLg0Kb3NzZWMtbWFpbGQgaXMgcnVubntbJiomXX1pbmcuLi4NCm9zc2VjLWV4ZWNkIGlzIHJ1bm5pbmcuLi4NClwiO3tbJiomXX0=[[/code]]

Right after starting OSSEC, you should get an email that reads like this:
[[code]]czoxOTg6XCJPU1NFQyBISURTIE5vdGlmaWNhdGlvbi4NCjIwMTQgTm92IDMwIDExOjE1OjM4DQoNClJlY2VpdmVkIEZyb206IG9zc2V7WyYqJl19YzItJmd0O29zc2VjLW1vbml0b3JkDQpSdWxlOiA1MDIgZmlyZWQgKGxldmVsIDMpIC0mZ3Q7IFwiT3NzZWMgc2VydmVyIHN0YXJ0ZWR7WyYqJl19LlwiDQpQb3J0aW9uIG9mIHRoZSBsb2cocyk6DQoNCm9zc2VjOiBPc3NlYyBzdGFydGVkLg0KXCI7e1smKiZdfQ==[[/code]]

That’s another confirmation that OSSEC is working and will send you email alerts whenever something it’s configured to monitor happens. Even when it is restarted, OSSEC will send you an email.

If you didn’t get this email right away, don’t worry. You may still need to tweak your email settings (which we’ll cover later in the tutorial) to make sure your OSSEC server’s emails can get through to your mail provider. This is especially true for some 3rd-party email service providers like Google and Fastmail.

Configure OSSEC for Real-time Alerts on File Modifications

Next, work with OSSEC’s files and directories, and learn how to change OSSEC’s monitoring and alert settings.

OSSEC’s directory structure

OSSEC’s default directory is a chroot-ed (sandbox) environment that only a user with root (admin) privileges can access. A standard user cannot cd into /var/ossec or even list the files in it. As the root (or admin) user, however, you can.

So, cd into the installation directory by typing:

[[code]]czoxNTpcImNkIC92YXIvb3NzZWMNClwiO3tbJiomXX0=[[/code]]

To list the files in your new working directory, type:
[[code]]czo5OlwibHMgLWxnRw0KXCI7e1smKiZdfQ==[[/code]]

You should see these files and directories:
[[code]]czo0MDU6XCJ0b3RhbCA0MA0KZHIteHIteC0tLSAgMyA0MDk2IE5vdiAyNiAxNDo1NiBhY3RpdmUtcmVzcG9uc2UNCmRyLXhyLXgtLS17WyYqJl19ICAyIDQwOTYgTm92IDIwIDIwOjU2IGFnZW50bGVzcw0KZHIteHIteC0tLSAgMiA0MDk2IE5vdiAyMCAyMDo1NiBiaW4NCmRyLXhyLXtbJiomXX14LS0tICAzIDQwOTYgTm92IDI5IDAwOjQ5IGV0Yw0KZHJ3eHIteC0tLSAgNSA0MDk2IE5vdiAyMCAyMDo1NiBsb2dzDQpkci14ci14e1smKiZdfS0tLSAxMSA0MDk2IE5vdiAyMCAyMDo1NiBxdWV1ZQ0KZHIteHIteC0tLSAgNCA0MDk2IE5vdiAyMCAyMDo1NiBydWxlcw0KZHJ3eHJ7WyYqJl19LXgtLS0gIDUgNDA5NiBOb3YgMjAgMjE6MDAgc3RhdHMNCmRyLXhyLXgtLS0gIDIgNDA5NiBOb3YgMjAgMjA6NTYgdG1wDQpkci14cntbJiomXX0teC0tLSAgMyA0MDk2IE5vdiAyOSAxODozNCB2YXINClwiO3tbJiomXX0=[[/code]]

  • OSSEC’s main configuration file is in the /var/ossec/etc directory.
  • Predefined rules are in the /var/ossec/rules directory
  • Commands used to manage OSSEC are in /var/ossec/bin
  • Take note of the /var/ossec/logs directory. If OSSEC ever throws an error, the/var/ossec/logs/ossec.log file in that directory is the first place to look

Main configuration file, /var/ossec/etc/ossec.conf

To access the main configuration file, you have to change into /var/ossec/etc. To do that, type:

[[code]]czoxOTpcImNkIC92YXIvb3NzZWMvZXRjDQpcIjt7WyYqJl19[[/code]]

If you do an ls while in that directory, you’ll see these files and directories:
[[code]]czo5OlwibHMgLWxnRw0KXCI7e1smKiZdfQ==[[/code]]

Results:
[[code]]czoyODc6XCJ0b3RhbCAxMjANCi1yLS1yLS0tLS0gMSA5Nzc4NiBTZXAgIDggMjI6MDMgZGVjb2Rlci54bWwNCi1yLS1yLS0tLS0gMSB7WyYqJl19IDI4NDIgU2VwICA4IDIyOjAzIGludGVybmFsX29wdGlvbnMuY29uZg0KLXItLXItLS0tLSAxICAzNTE5IE9jdCAzMCAxMzo0NiBsb3tbJiomXX1jYWx0aW1lDQotci0tci0tLS0tIDEgIDc3NTIgTm92IDI5IDA5OjQ1IG9zc2VjLmNvbmYNCi1ydy1yLS0tLS0gMSAgICA4NyBOb3Yge1smKiZdfTIwIDIwOjU2IG9zc2VjLWluaXQuY29uZg0KZHJ3eHJ3eC0tLSAyICA0MDk2IE5vdiAyMCAyMTowMCBzaGFyZWQNClwiO3tbJiomXX0=[[/code]]

The main configuration file is /var/ossec/etc/ossec.conf.

Before modifying the file, make a backup copy, just in case. To make that copy, use the cp command like so:

[[code]]czo1OTpcImNwIC92YXIvb3NzZWMvZXRjL29zc2VjLmNvbmYgL3Zhci9vc3NlYy9ldGMvb3NzZWMuY29uZi4wMA0KXCI7e1smKiZdfQ==[[/code]]

The idea is if your changes don’t work or mess up the system, you can revert to the copy and be back to normal. It’s the simplest disaster recovery practice that you should always take advantage of.

Now, open ossec.conf by using the nano editor.

[[code]]czozMjpcIm5hbm8gL3Zhci9vc3NlYy9ldGMvb3NzZWMuY29uZg0KXCI7e1smKiZdfQ==[[/code]]

The configuration file is a very long XML file with several sections.

Email settings

The first configuration options you’ll see are the email credentials you specified during installation. If you need to specify a different email address and/or SMTP server, this is the place to do it.

[[code]]czoyNzQ6XCImbHQ7Z2xvYmFsJmd0Ow0KICAgICZsdDtlbWFpbF9ub3RpZmljYXRpb24mZ3Q7eWVzJmx0Oy9lbWFpbF9ub3RpZmljYXR7WyYqJl19aW9uJmd0Ow0KICAgICZsdDtlbWFpbF90byZndDt1c2VyQGV4YW1wbGUuY29tJmx0Oy9lbWFpbF90byZndDsNCiAgICAmbHQ7c210cHtbJiomXX1fc2VydmVyJmd0O21haWwuZXhhbXBsZS5jb20uJmx0Oy9zbXRwX3NlcnZlciZndDsNCiAgICAmbHQ7ZW1haWxfZnJvbSZndDtvc3Nle1smKiZdfWNtQG9zc2VjX3NlcnZlciZsdDsvZW1haWxfZnJvbSZndDsNCiZsdDsvZ2xvYmFsJmd0Ow0KXCI7e1smKiZdfQ==[[/code]]

By default, OSSEC sends 12 emails per hour, so you’ll not be flooded with email alerts. You can increase or decrease that value by adding the &lt;email_maxperhour&gt;<span class="highlight">N</span>&lt;/email_maxperhour&gt; setting to that section so that it reads:
[[code]]czozNjE6XCImbHQ7Z2xvYmFsJmd0Ow0KICAgICZsdDtlbWFpbF9ub3RpZmljYXRpb24mZ3Q7eWVzJmx0Oy9lbWFpbF9ub3RpZmljYXR7WyYqJl19aW9uJmd0Ow0KICAgICZsdDtlbWFpbF90byZndDt1c2VyQGV4YW1wbGUuY29tJmx0Oy9lbWFpbF90byZndDsNCiAgICAmbHQ7c210cHtbJiomXX1fc2VydmVyJmd0O21haWwuZXhhbXBsZS5jb20uJmx0Oy9zbXRwX3NlcnZlciZndDsNCiAgICAmbHQ7ZW1haWxfZnJvbSZndDtvc3Nle1smKiZdfWNtQG9zc2VjX3NlcnZlciZsdDsvZW1haWxfZnJvbSZndDsNCiAgICA8c3BhbiBjbGFzcz1cImhpZ2hsaWdodFwiPiZsdDtlbWFpbF9tYXtbJiomXX14cGVyaG91ciZndDtOJmx0Oy9lbWFpbF9tYXhwZXJob3VyJmd0Ozwvc3Bhbj4NCiZsdDsvZ2xvYmFsJmd0Ow0KXCI7e1smKiZdfQ==[[/code]]

Please replace <span class="highlight">N</span> with the number of emails you want to receive per hour, between 1 and 9999.

Some third-party email service providers (Google and Fastmail, for example) will silently drop alerts sent by OSSEC if the &lt;email_from&gt; address does not contain a valid domain part, like the one in the code block above. To avoid that, make sure that that email address contains a valid domain part. For example:

[[code]]czozMDc6XCImbHQ7Z2xvYmFsJmd0Ow0KICAgICZsdDtlbWFpbF9ub3RpZmljYXRpb24mZ3Q7eWVzJmx0Oy9lbWFpbF9ub3RpZmljYXR7WyYqJl19aW9uJmd0Ow0KICAgICZsdDtlbWFpbF90byZndDt1c2VyQGV4YW1wbGUuY29tJmx0Oy9lbWFpbF90byZndDsNCiAgICAmbHQ7c210cHtbJiomXX1fc2VydmVyJmd0O21haWwuZXhhbXBsZS5jb20uJmx0Oy9zbXRwX3NlcnZlciZndDsNCiAgICAmbHQ7ZW1haWxfZnJvbSZndDt1c2Vye1smKiZdfTxzcGFuIGNsYXNzPVwiaGlnaGxpZ2h0XCI+QG9zc2VjX3NlcnZlci5jb208L3NwYW4+Jmx0Oy9lbWFpbF9mcm9tJmd0Ow0KJmx0Oy9nbHtbJiomXX1vYmFsJmd0Ow0KXCI7e1smKiZdfQ==[[/code]]

The &lt;email_to&gt; and &lt;email_from&gt; addresses can be the same. For example:
[[code]]czozMzM6XCImbHQ7Z2xvYmFsJmd0Ow0KICAgICZsdDtlbWFpbF9ub3RpZmljYXRpb24mZ3Q7eWVzJmx0Oy9lbWFpbF9ub3RpZmljYXR7WyYqJl19aW9uJmd0Ow0KICAgICZsdDtlbWFpbF90byZndDt1c2VyPHNwYW4gY2xhc3M9XCJoaWdobGlnaHRcIj5AZXhhbXBsZS5jb208L3NwYW4+e1smKiZdfSZsdDsvZW1haWxfdG8mZ3Q7DQogICAgJmx0O3NtdHBfc2VydmVyJmd0O21haWwuZXhhbXBsZS5jb20uJmx0Oy9zbXRwX3NlcnZlciZ7WyYqJl19Z3Q7DQogICAgJmx0O2VtYWlsX2Zyb20mZ3Q7dXNlcjxzcGFuIGNsYXNzPVwiaGlnaGxpZ2h0XCI+QGV4YW1wbGUuY29tPC9zcGFuPiZse1smKiZdfXQ7L2VtYWlsX2Zyb20mZ3Q7DQombHQ7L2dsb2JhbCZndDsNClwiO3tbJiomXX0=[[/code]]

If you don’t want to use an external email provider’s SMTP server, you can specify your own SMTP server. If your SMTP server is running on the same server as OSSEC, change the &lt;smtp_server&gt;setting to <span class="highlight">localhost</span>. For example:
[[code]]czoyOTA6XCImbHQ7Z2xvYmFsJmd0Ow0KICAgICZsdDtlbWFpbF9ub3RpZmljYXRpb24mZ3Q7eWVzJmx0Oy9lbWFpbF9ub3RpZmljYXR7WyYqJl19aW9uJmd0Ow0KICAgICZsdDtlbWFpbF90byZndDt1c2VyQGV4YW1wbGUuY29tJmx0Oy9lbWFpbF90byZndDsNCiAgICAmbHQ7c210cHtbJiomXX1fc2VydmVyJmd0OzxzcGFuIGNsYXNzPVwiaGlnaGxpZ2h0XCI+bG9jYWxob3N0PC9zcGFuPiZsdDsvc210cF9zZXJ2ZXImZ3Q7DQogICB7WyYqJl19ICZsdDtlbWFpbF9mcm9tdXNlckBleGFtcGxlLmNvbSZsdDsvZW1haWxfZnJvbSZndDsNCiZsdDsvZ2xvYmFsJmd0Ow0KXCI7e1smKiZdfQ==[[/code]]

OSSEC does not send real-time alerts by default, but this tutorial calls for real-time notifications, so that’s one aspect that you’re going to modify.

If you still aren’t receiving expected emails from OSSEC, check the logs at /var/ossec/logs/ossec.logfor mail errors.

Example mail errors:

[[code]]czoxNzk6XCIyMDE0LzEyLzE4IDE3OjQ4OjM1IG9zX3NlbmRtYWlsKDE3NjcpOiBXQVJOOiBFbmQgb2YgREFUQSBub3QgYWNjZXB0ZWR7WyYqJl19IGJ5IHNlcnZlcg0KMjAxNC8xMi8xOCAxNzo0ODozNSBvc3NlYy1tYWlsZCgxMjIzKTogRVJST1I6IEVycm9yIFNlbmRpbmcgZW1haXtbJiomXX1sIHRvIDc0LjEyNS4xMzEuMjYgKHNtdHAgc2VydmVyKQ0KXCI7e1smKiZdfQ==[[/code]]

You can use these error messages to help you debug any issues with receiving email notifications.

Frequency of scans

In the &lt;syscheck&gt; section of ossec.conf, which starts like this:

[[code]]czoxNTA6XCImbHQ7c3lzY2hlY2smZ3Q7DQogICAgJmx0OyEtLSBGcmVxdWVuY3kgdGhhdCBzeXNjaGVjayBpcyBleGVjdXRlZCAtIGR7WyYqJl19ZWZhdWx0IHRvIGV2ZXJ5IDIyIGhvdXJzIC0tJmd0Ow0KICAgICZsdDtmcmVxdWVuY3kmZ3Q7NzkyMDAmbHQ7L2ZyZXF1ZW5jeSZndHtbJiomXX07DQoNClwiO3tbJiomXX0=[[/code]]

We will turn on alerts for new file creation. Add the line &lt;alert_new_files&gt;yes&lt;/alert_new_files&gt; so that it reads like this:
[[code]]czoyMzc6XCImbHQ7c3lzY2hlY2smZ3Q7DQogICAgJmx0OyEtLSBGcmVxdWVuY3kgdGhhdCBzeXNjaGVjayBpcyBleGVjdXRlZCAtIGR7WyYqJl19ZWZhdWx0IHRvIGV2ZXJ5IDIyIGhvdXJzIC0tJmd0Ow0KICAgICZsdDtmcmVxdWVuY3kmZ3Q7NzkyMDAmbHQ7L2ZyZXF1ZW5jeSZndHtbJiomXX07DQoNCiAgICA8c3BhbiBjbGFzcz1cImhpZ2hsaWdodFwiPiZsdDthbGVydF9uZXdfZmlsZXMmZ3Q7eWVzJmx0Oy9hbGVydF9uZXdfZml7WyYqJl19bGVzJmd0Ozwvc3Bhbj4NClwiO3tbJiomXX0=[[/code]]

For testing purposes, you may also want to set the frequency of the system check to be much lower. By default, the system check is run every 22 hours. For testing purposes, you may want to set this to once a minute, that is, 60 seconds. Revert this to a sane value when you are done testing.
[[code]]czoyMzQ6XCImbHQ7c3lzY2hlY2smZ3Q7DQogICAgJmx0OyEtLSBGcmVxdWVuY3kgdGhhdCBzeXNjaGVjayBpcyBleGVjdXRlZCAtIGR7WyYqJl19ZWZhdWx0IHRvIGV2ZXJ5IDIyIGhvdXJzIC0tJmd0Ow0KICAgICZsdDtmcmVxdWVuY3kmZ3Q7PHNwYW4gY2xhc3M9XCJoaWdobGlnaHR7WyYqJl19XCI+NjA8L3NwYW4+Jmx0Oy9mcmVxdWVuY3kmZ3Q7DQoNCiAgICAmbHQ7YWxlcnRfbmV3X2ZpbGVzJmd0O3llcyZsdDsvYWxlcnRfbmV7WyYqJl19d19maWxlcyZndDsNClwiO3tbJiomXX0=[[/code]]

Directory and file change settings

Right after that, you should see the list of system directories that OSSEC monitors. It reads like:

[[code]]czoyMjI6XCImbHQ7IS0tIERpcmVjdG9yaWVzIHRvIGNoZWNrICAocGVyZm9ybSBhbGwgcG9zc2libGUgdmVyaWZpY2F0aW9ucykgLS17WyYqJl19Jmd0Ow0KJmx0O2RpcmVjdG9yaWVzIGNoZWNrX2FsbD1cInllc1wiJmd0Oy9ldGMsL3Vzci9iaW4sL3Vzci9zYmluJmx0Oy9kaXJlY3Rve1smKiZdfXJpZXMmZ3Q7DQombHQ7ZGlyZWN0b3JpZXMgY2hlY2tfYWxsPVwieWVzXCImZ3Q7L2Jpbiwvc2JpbiZsdDsvZGlyZWN0b3JpZXMmZ3Q7DXtbJiomXX0KXCI7e1smKiZdfQ==[[/code]]

Let’s enable real-time monitoring by adding the settings report_changes="yes" realtime="yes" to each line. Modify these lines so they read:
[[code]]czozNTY6XCImbHQ7IS0tIERpcmVjdG9yaWVzIHRvIGNoZWNrICAocGVyZm9ybSBhbGwgcG9zc2libGUgdmVyaWZpY2F0aW9ucykgLS17WyYqJl19Jmd0Ow0KJmx0O2RpcmVjdG9yaWVzIDxzcGFuIGNsYXNzPVwiaGlnaGxpZ2h0XCI+cmVwb3J0X2NoYW5nZXM9XCJ5ZXNcIiByZWFsdGltZT17WyYqJl19XCJ5ZXNcIjwvc3Bhbj4gY2hlY2tfYWxsPVwieWVzXCImZ3Q7L2V0YywvdXNyL2JpbiwvdXNyL3NiaW4mbHQ7L2RpcmVjdG9yaWVzJmd0Ow17WyYqJl19CiZsdDtkaXJlY3RvcmllcyA8c3BhbiBjbGFzcz1cImhpZ2hsaWdodFwiPnJlcG9ydF9jaGFuZ2VzPVwieWVzXCIgcmVhbHRpbWU9XCJ5ZXNcIntbJiomXX08L3NwYW4+IGNoZWNrX2FsbD1cInllc1wiJmd0Oy9iaW4sL3NiaW4mbHQ7L2RpcmVjdG9yaWVzJmd0Ow0KXCI7e1smKiZdfQ==[[/code]]

report_changes="yes" does exactly what is says. Ditto for realtime="yes".

In addition to the default list of directories that OSSEC has been configured to monitor, you can add new directories that you wish to monitor. In this next section, I’m going to tell OSSEC to monitor /home/userand /var/www. For that, I’m going to add a new line right under the existing ones, so that that section now reads:

[[code]]czo0NzM6XCImbHQ7IS0tIERpcmVjdG9yaWVzIHRvIGNoZWNrICAocGVyZm9ybSBhbGwgcG9zc2libGUgdmVyaWZpY2F0aW9ucykgLS17WyYqJl19Jmd0Ow0KJmx0O2RpcmVjdG9yaWVzIHJlcG9ydF9jaGFuZ2VzPVwieWVzXCIgcmVhbHRpbWU9XCJ5ZXNcIiBjaGVja19hbGw9XCJ5ZXNcIiZndHtbJiomXX07L2V0YywvdXNyL2JpbiwvdXNyL3NiaW4mbHQ7L2RpcmVjdG9yaWVzJmd0Ow0KJmx0O2RpcmVjdG9yaWVzIHJlcG9ydF9jaGFuZ2Vze1smKiZdfT1cInllc1wiIHJlYWx0aW1lPVwieWVzXCIgY2hlY2tfYWxsPVwieWVzXCImZ3Q7L2Jpbiwvc2JpbiZsdDsvZGlyZWN0b3JpZXMmZ3Q7DQoNCjx7WyYqJl19c3BhbiBjbGFzcz1cImhpZ2hsaWdodFwiPiZsdDtkaXJlY3RvcmllcyByZXBvcnRfY2hhbmdlcz1cInllc1wiIHJlYWx0aW1lPVwieWVzXCIgcntbJiomXX1lc3RyaWN0PVwiLnBocHwuanN8LnB5fC5zaHwuaHRtbFwiIGNoZWNrX2FsbD1cInllc1wiJmd0Oy9ob21lL3VzZXIsL3Zhci93d3cmbHQ7L3tbJiomXX1kaXJlY3RvcmllcyZndDs8L3NwYW4+DQpcIjt7WyYqJl19[[/code]]

You should modify the directories to match your desired settings. If your user is not named user, you will want to change the path to the home directory.

For the new directories to monitor, we’ve added the restrict option, which tells OSSEC to monitor only the specified file formats. You don’t have to use that option, but it comes in handy when you have other files, like image files, that you don’t want OSSEC to alert on.

That’s all the changes for ossec.conf. Save and close the file.

Restart OSSEC

All that’s left now is to restart OSSEC, something that has to be done any time you modify OSSEC’s files. To restart OSSEC type:

[[code]]czozODpcIi92YXIvb3NzZWMvYmluL29zc2VjLWNvbnRyb2wgcmVzdGFydA0KXCI7e1smKiZdfQ==[[/code]]

If all is working correctly, you should receive an email from OSSEC telling you it has started.

Triggers

And depending on what happens in the directories that OSSEC has been configured to monitor, you should be getting emails that read something like this:

Now try creating a sample file in /home/user

[[code]]czoyOTpcInRvdWNoIC9ob21lL3VzZXIvaW5kZXguaHRtbA0KXCI7e1smKiZdfQ==[[/code]]

Wait a minute. Add some content:
[[code]]czoyODpcIm5hbm8gL2hvbWUvdXNlci9pbmRleC5odG1sDQpcIjt7WyYqJl19[[/code]]

Wait a minute. Delete the file:
[[code]]czoyNjpcInJtIC9ob21lL3VzZXIvaW5kZXguaHRtbA0KXCI7e1smKiZdfQ==[[/code]]

You should start receiving notifications like this:
[[code]]czo2MTg6XCJPU1NFQyBISURTIE5vdGlmaWNhdGlvbi4NCjIwMTQgTm92IDMwIDE4OjAzOjUxDQoNClJlY2VpdmVkIEZyb206IG9zc2V7WyYqJl19YzItJmd0O3N5c2NoZWNrDQpSdWxlOiA1NTAgZmlyZWQgKGxldmVsIDcpIC0mZ3Q7IFwiSW50ZWdyaXR5IGNoZWNrc3VtIGNoYW5nZWR7WyYqJl19LlwiDQpQb3J0aW9uIG9mIHRoZSBsb2cocyk6DQoNCkludGVncml0eSBjaGVja3N1bSBjaGFuZ2VkIGZvcjogXCcvaG9tZS9zYW1teS9pe1smKiZdfW5kZXguaHRtbFwnDQpTaXplIGNoYW5nZWQgZnJvbSBcJzIxXCcgdG8gXCc0NlwnDQpXaGF0IGNoYW5nZWQ6DQoxYzEsNA0KJmx0OyBUaGlzIHtbJiomXX1pcyBhbiBodG1sIGZpbGUNCi0tLQ0KDQogICAgJmx0OyFkb2N0eXBlIGh0bWwmZ3Q7ICZsdDtwJmd0O1RoaXMgaXMgYW4gaHRtbCBme1smKiZdfWlsZSZsdDsvcCZndDsNCg0KT2xkIG1kNXN1bSB3YXM6IFwnNDQ3M2Q2YWRhNzNkZTUxYjViMzY3NDg2MjdmYTExOWJcJw0KTmV3IG1kNXtbJiomXX1zdW0gaXMgOiBcJ2VmMzZjNDJjZDcwMTRkZTk1NjgwZDY1NmRlYzYyZGU5XCcNCk9sZCBzaGExc3VtIHdhczogXCc5NmJkOWQ2ODVhN2Qye1smKiZdfTNiMjBhYmQ3ZDgyMzFiYjIxNTUyMWJjZGI2Y1wnDQpOZXcgc2hhMXN1bSBpcyA6IFwnNWFiMGYzMWMzMjA3N2EyM2M3MWMxODAxOGEzN3tbJiomXX00Mzc1ZWRjZDBiOTBcJw0KDQpcIjt7WyYqJl19[[/code]]

Or this:
[[code]]czoyMzI6XCJPU1NFQyBISURTIE5vdGlmaWNhdGlvbi4NCjIwMTQgRGVjIDAxIDEwOjEzOjMxDQoNClJlY2VpdmVkIEZyb206IG9zc2V7WyYqJl19YzItJmd0O3N5c2NoZWNrDQpSdWxlOiA1NTQgZmlyZWQgKGxldmVsIDcpIC0mZ3Q7IFwiRmlsZSBhZGRlZCB0byB0aGUgc3lzdGVtLlwie1smKiZdfQ0KUG9ydGlvbiBvZiB0aGUgbG9nKHMpOg0KDQpOZXcgZmlsZSBcJy92YXIvd3d3L2hlYWRlci5odG1sXCcgYWRkZWQgdG8gdGhlIGZpbHtbJiomXX1lIHN5c3RlbS4NClwiO3tbJiomXX0=[[/code]]

Note: OSSEC does not send out real-time alerts on file additions, only on file modifications and deletions. Alerts on file additions go out after a full system check, which is governed by the frequency check time in ossec.conf.

[[code]]czozMjpcIm5hbm8gL3Zhci9vc3NlYy9ldGMvb3NzZWMuY29uZg0KXCI7e1smKiZdfQ==[[/code]]

Setting for frequency:
[[code]]czoxNDg6XCImbHQ7c3lzY2hlY2smZ3Q7DQogICAgJmx0OyEtLSBGcmVxdWVuY3kgdGhhdCBzeXNjaGVjayBpcyBleGVjdXRlZCAtIGR7WyYqJl19ZWZhdWx0IHRvIGV2ZXJ5IDIyIGhvdXJzIC0tJmd0Ow0KICAgICZsdDtmcmVxdWVuY3kmZ3Q7NzkyMDAmbHQ7L2ZyZXF1ZW5jeSZndHtbJiomXX07DQpcIjt7WyYqJl19[[/code]]

Again, if you are not getting emails check your /var/ossec/logs/ossec.logfile for more details.

Post your Comments

Fill out all required fields to send a message. You have to login to your wordpress account to post any comment. Please don´t spam, thank you!