1. Download Ossec :

wget <a href="http://www.ossec.net/files/ossec-hids-2.7.tar.gz" title="http://www.ossec.net/files/ossec-hids-2.7.tar.gz">http://www.ossec.net/files/ossec-hids-2.7.tar.gz</a>

tar -zxvf ossec-hids-2.7.tar.gz

cd ossec-hids-2.7

./install.sh
Controlling Service:

/var/ossec/bin/ossec-control start

/var/ossec/bin/ossec-control stop

Edit Configuration File :

vi /var/ossec/etc/ossec.conf

Installing Agent:

Authorizing Agents:

/var/ossec/bin/manage_agents

  1. Add an Agent : press A

  2. Extract Key for an agent : Press E

CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

Copy the agent Key and now login to the agent machine

/var/ossec/bin/manage_agents

a. Press I to import the key : Press I

b. Paste the key:

CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

/var/ossec/bin/ossec-control start

Now Restart the server [ you have to restart the server every time you add an agent ]

Troubleshooting :

Error Executing analysisd :

There is a small bug in version 2.6 , the logtest directory is missing, run the below command to fix that.

ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest

Tips & Tricks :

**SendingĀ  Email to a different email for a particular rule ID: **

<email_alerts> <email_to>admin@yourdomain.com</email_to> <rule_id>31430</rule_id> </email_alerts>

Disable Ossec Active Response :

Replace everything between with following :

yes

In order to Enable Ossec Active Response , just replace that part with :

host-deny local 6 600 firewall-drop local 6 600