OSSEC
OSSEC Comprehensive Guide & Cheat Sheet
Introduction to OSSEC
OSSEC (Open Source Security Event Correlator) is a powerful, open-source, host-based intrusion detection system (HIDS). It provides log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response across multiple platforms (Linux, Windows, macOS, Solaris, BSD) .
Architecture & Components
OSSEC uses a client-server (manager-agent) architecture:
Manager (Server): Central component that receives, stores, and analyzes data from agents and other sources. It generates alerts and manages responses .
Agents: Installed on monitored endpoints. They collect logs, monitor files, and send data to the manager.
Agentless Monitoring: For devices that cannot run an agent (e.g., routers, switches), OSSEC can collect logs via SSH, WMI, or syslog.
Decoders: Parse and normalize log messages.
Rules: Define what constitutes suspicious or malicious activity.
Active Responses: Automated actions triggered by specific events (e.g., block IP, disable account) .
Key Features
Log Analysis: Real-time analysis of logs from various sources (syslog, Windows Event Logs, application logs).
File Integrity Monitoring (FIM): Detects unauthorized changes to critical files.
Rootkit Detection: Scans for rootkits and suspicious binaries.
Registry Monitoring: Monitors Windows registry changes.
Real-Time Alerting: Immediate notification of security events.
Active Response: Automated mitigation actions.
Centralized Management: Unified policy enforcement and alerting .
Installation & Deployment
Supported Platforms
Linux/Unix: Most distributions supported.
Windows: All major versions.
macOS, Solaris, BSD: Supported.
Deployment Scenarios
Single Host: Manager and agent on the same machine.
Distributed: Central manager with multiple agents across the network.
Agentless: For devices that cannot run an agent.
Installation Steps (Linux Example)
Download OSSEC:
wget https://github.com/ossec/ossec-hids/archive/master.tar.gz tar -zxvf master.tar.gz cd ossec-hids-*Run Installer:
sudo ./install.shChoose "server" or "agent" as appropriate.
Configure Firewall: Allow communication on the default port (1514/UDP).
Start OSSEC:
sudo /var/ossec/bin/ossec-control startAgent Registration: On the manager, add agents and provide keys for secure communication.
For Windows, use the provided installer and follow the GUI prompts.
Large-Scale/Automated Deployment
Use configuration management tools (Ansible, Puppet, Chef).
For agentless, configure SSH/WMI access.
Configuration Essentials
ossec.conf Overview
The main configuration file is /var/ossec/etc/ossec.conf. It is XML-based and controls all aspects of OSSEC.
Key Sections:
<global>: General settings.<rules>: Rule files to load.<decoders>: Decoder files to load.<active-response>: Automated response actions.<syscheck>: File integrity monitoring.<rootcheck>: Rootkit detection.<alerts>: Alerting configuration.
Example ossec.conf Snippet
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>admin@example.com</email_to>
</global>
<rules>
<include>rules/local_rules.xml</include>
</rules>
<active-response>
<command>firewalldrop</command>
<location>local</location>
<level>10</level>
</active-response>
<syscheck>
<frequency>3600</frequency>
<directories check_all="yes">/etc,/usr/bin</directories>
</syscheck>
</ossec_config>Rules
Location:
/var/ossec/etc/rules/Format: XML
Purpose: Define what log patterns trigger alerts.
Customization: Add custom rules for your environment. Always back up custom rules before upgrades .
Example Rule
<rule id="100001" level="10">
<decoded_as>sshd</decoded_as>
<description>Multiple failed SSH login attempts</description>
<group>authentication_failures,</group>
<frequency>5</frequency>
<timeframe>60</timeframe>
<same_source_ip />
</rule>Decoders
Location:
/var/ossec/etc/decoders/Purpose: Parse and extract fields from log messages.
Customization: Write custom decoders for unique log formats. Back up before upgrades .
Example Decoder
<decoder name="custom-ssh">
<program_name>sshd</program_name>
<regex>Failed password for (\w+) from (\d+\.\d+\.\d+\.\d+)</regex>
<order>user, srcip</order>
</decoder>Active Responses
Purpose: Automate mitigation (e.g., block IP, disable user).
Configuration: Each response in its own
<active-response>block inossec.conf.Key Options:
command: The script or action to run.location: Where to execute (local, server, agent).level: Minimum alert level to trigger.timeout: How long the response lasts.
Example Active Response
<active-response>
<command>firewalldrop</command>
<location>local</location>
<level>10</level>
<timeout>600</timeout>
</active-response>Monitoring & Log Analysis
Log Sources: Internal logs, Windows Event Logs, syslog, application logs.
Logcollector: Collects events from sources.
Analysisd: Decodes, filters, and classifies events in real-time .
Supported Formats: syslog, snort, squid, IIS, MySQL, PostgreSQL, Apache, and more .
Capabilities: Detects attacks, misuse, policy violations, and system errors .
Alerting & Response
Real-Time Alerts: Immediate notification via email, syslog, or custom scripts .
Alert Levels: 0 (ignore) to 15 (critical).
Active Response: Automated actions (e.g., block IP, restart service).
Centralized Policy Enforcement: Uniform security policies across all monitored devices .
Integration with Other Tools & SIEM
SIEM Integration: OSSEC can send logs/alerts to SIEMs like ELK Stack (Elasticsearch, Logstash, Kibana), Graylog, and Splunk for advanced analysis and visualization .
Other Security Tools: Integrates with Snort, Suricata, Zeek for network security monitoring .
Log Management: Centralized log collection and advanced search via Graylog or Elastic Stack .
Community Support: Strong community for plugins, integrations, and troubleshooting .
Maintenance, Troubleshooting & Best Practices
Troubleshooting
Identify Problems: Check logs in
/var/ossec/logs/for errors.Systematic Approach: Isolate the issue (agent, manager, network).
Diagnostic Tools: Use OSSEC's built-in tools and system utilities.
Common Issues: Agent connectivity, rule misconfiguration, permission errors.
Maintenance
Preventive: Regularly update OSSEC, review rules/decoders, and back up configurations .
Corrective: Address alerts and incidents promptly, verify system integrity .
Routine: Clean up old logs, rotate log files, and monitor system performance.
Best Practices
Backup: Always back up custom rules, decoders, and configuration files before upgrades .
Least Privilege: Run OSSEC with minimal required permissions.
Regular Updates: Keep OSSEC and all dependencies up to date.
Training: Ensure staff are trained on OSSEC operation and incident response .
Feedback Loops: Review and refine rules based on incident feedback .
Community & Resources
Official Website: ossec.github.io
GitHub: github.com/ossec/ossec-hids
Forums: OSSEC Google Group, Stack Overflow, Reddit
Documentation: OSSEC Documentation
Related Projects: Wazuh (OSSEC fork with extended features)
Blogs & Case Studies: Search for real-world use cases and example configurations on GitHub, company blogs, and security forums.
Quick Reference Cheat Sheet
Common Commands
sudo /var/ossec/bin/ossec-control start
Start OSSEC
sudo /var/ossec/bin/ossec-control stop
Stop OSSEC
sudo /var/ossec/bin/ossec-control restart
Restart OSSEC
sudo /var/ossec/bin/manage_agents
Manage agent keys (add/remove/list)
sudo /var/ossec/bin/agent_control -l
List connected agents
sudo /var/ossec/bin/ossec-logtest
Test log messages against rules/decoders
Key File Locations
/var/ossec/etc/ossec.conf
Main configuration file
/var/ossec/etc/rules/
Rule files
/var/ossec/etc/decoders/
Decoder files
/var/ossec/logs/
Log files
/var/ossec/active-response/
Active response scripts
Alert Levels
0
Ignore
1-3
Low (informational)
4-7
Medium (suspicious)
8-15
High (attack/critical)
Useful Links
Last updated
Was this helpful?