OSSEC 101: Installation¶
What are the different types of installations?¶
- local - A local installation includes everything necessary to monitor a single system. For local installations an agent is not necessary. Most of the documentation for the server installation is also applicable to the local install.
- server - A server installation is useful for monitoring multiple systems. It helps centralize configuration and analysis. Agents pass log messages and syscheck information to the server for analysis. OSSEC servers are often referred to as managers to help avoid confusion. Servers should always have agents associated with them. A server install requires a unix-like system, various Linux distributions being the best tested.
- agent - An agent is a client system being monitored by an OSSEC manager. The OSSEC agent processes will forward information to the manager for analysis. Agents can be unix-like systems or Windows systems.
- agentless - This isn’t really a type os OSSEC installation, but an option for monitoring embedded systems, or other systems a full OSSEC installation doesn’t make sense.
- hybrid - A hybrid installation is both a server and an agent. This allows for a tiered architecture of agents pushing to servers which forward alerts on to other servers for consolidation.
What type of installation should I perform ...¶
- This depends on what your requirements are.
- Is this a standalone system? local
- Do you want to monitor a large number of systems from a central location? Install a central server and perform agent installations on the clients.
- Windows system? agent
What type of installation should I perform on my single webserver?¶
If you are installing OSSEC on only one system you should use the local installation. You will not need to add an agent or perform any other installations.
What are the installation pre-requisites?¶
The installation pre-requisites are pretty simple and depend on the type of installation. All installation types require gcc and the basic development libraries.
Server and local installs may require either MySQL or PostgreSQL client libraries if you plan on logging to a database. The OpenSSL development libraries are required for ossec-authd support.
Agent installs require the OpenSSL development libraries for agent-auth support.
Hybrid installs require everything the server and agent installs require.
Prelude output will require the prelude development libraries.
Debian packages:¶
build-essential make [libssl-dev] [libmysqlclient-dev] [libpq-dev] [XXX prelude libs] [XXX inotify stuff]
Redhat Enterprise Linux/CentOS packages:¶
gcc inotify-tools-devel XXX
Solaris 8, 9, 10:¶
SUNWxcu4 SUNWsprot SUNWtoo SUNWbtool
SUNWxcu4 will create /usr/xpg4/bin/. Also make sure you have /usr/ccs/bin/make and /usr/ucb/bin/cc (compiler).
Mac OS X Lion issues:¶
OS X Lion primarily uses llvm for compilation, but there appears to be an issue with the inline assembly support. Use gcc to compile OSSEC.
OpenBSD:¶
A default installation of OpenBSD should include everything necessary to perform an installation of OSSEC.