OSSEC 101: Server Installation

Things to keep in mind:

Many of the OSSEC daemons chroot to the installation directory (/var/ossec is the default, and is the reference directory for this document). All logs are currently kept in the /var/ossec/logs directory. Some log files are rotated daily, but OSSEC does not move logs outside of /var/ossec/logs. Depending on a number of factors these logs can become large, so make sure you have enough space to store the logs you want to keep.

Related to the amount of storage space you give to OSSEC is the “events per second” (EPS) you expect to receive. Michael Starks has provided a script to determine EPS in a blog post: 3WoO Day 2: Calculating Your EPS. There has not been any formal load testing on OSSEC, but some informal testing has shown a local installation can handle 11,000 EPS. (email by Christopher Moraes) This test was done under mostly ideal conditions, but we would be interested in hearing performance reports from other users.

The number of rules and agents can also affect the speed of the OSSEC manager, and the amount of space necessary for to hold the logs. More agents means more logs.

Installation process:

  • Download the OSSEC tarball and pgp/gnupg signature from ossec.net.
OSSEC download
  • Use GnuPG or PGP to verify the download. Use gpg --import OSSEC-GPG-Key.asc to import the OSSEC gpg key, then gpg --verify ossec-hids-2.6.tar.gz.sig ossec-hids-2.6.tar.gz to verify the signature and file.
gpg --verify ossec-hids-2.6.tar.gz
  • Unpack the tarball and change into the new directory with tar -zxf ossec-hids-2.6.tar.gz. Run the install.sh script to perform the installation ./install.sh:
cd ossec-hids-2.6 && ./install.sh
  • If you wish to output alert information to a database (MySQL or PostgreSQL) or to Prelude, run the appropriate make command in the src directory. For database output run make setdb and for Prelude use make setprelude:
  • Verify the information and press ENTER. System should detail the operating system and platform, User should be the current user, and Host should display the hostname.
OSSEC installation information
  • The installation type for this install will be server, and we are using the default install directory. It should be possible to install OSSEC anywhere in the system but selecting the default will be easiest. Items inside the brackets are the default answers.
OSSEC installation questions
  • This installation will be configured to send email, integrity check daemon, and the rootkit detection engine.
OSSEC more installation questions
  • We will be disabling active response for now. Active response deserves its own section, and will be covered later.
OSSEC disable active response
  • We will also disable remote syslog (using OSSEC’s syslog will be covered later). The script prints a log file that will be analyzed in addition to the typical log files. In this case it is a Debian specific log file.
OSSEC disable syslog
  • At this point OSSEC will be compiled. After compilation has completed, the script provides more information:
OSSEC post installation message

Adding an agent:

  • Adding agents is done with the manage_agents application:
cd /var/ossec/bin && ./manage_agents
  • The manage_agents menu is simple, enter a to add an agent:
Add an agent with a
  • Enter the agent’s information. In the IP address field a CIDR (192.168.1.0/24) or any can be used:
OSSEC manage_agents agent information
  • After confirming the addition, manage agents will notify you that the OSSEC processes must be restarted:
OSSEC manage_agents exit

Note

Restarting the OSSEC processes is only necessary for the initial agent. While subsequent additions will still give the message, the restart is not necessary.

  • Restarting the OSSEC processes:
cd /var/ossec/bin && ./ossec-control restart