How to Install OSSEC on Red Hat or CentOS 6

By | 2012/07/08

OSSEC is an open source centralized log monitoring and notification system. OSSEC is often used to meet PCI Compliance central logging and intrusion monitoring requirements with a free and self-managed solution. OSSEC monitors all types of logs such as syslog, apache, maillogs, mysql logs, ftp logs, cisco IOS logs, and more. I’ll show you how to install OSSEC on the latest Red Hat Linux or CentOS 6!


Note: this guide uses the following repositories:

– EPEL
– Atomicorp.com


First add the EPEL repository to meet an inotify-tools dependency.

$ sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm


Next fetch and run the atomic repository script to add their repository:

$ wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic

Now install ossec server. Note that the client is also available (ossec-hids-client)

$ sudo yum install ossec-hids ossec-hids-server
$ sudo yum install ossec-hids ossec-hids-server
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.aol.com
 * epel: mirror.symnds.com
 * extras: centos.aol.com
 * updates: mirror.lug.udel.edu
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.6-14.el6.art will be installed
--> Processing Dependency: inotify-tools for package: ossec-hids-2.6-14.el6.art.x86_64
---> Package ossec-hids-server.x86_64 0:2.6-14.el6.art will be installed
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-server-2.6-14.el6.art.x86_64
--> Processing Dependency: perl(Time::HiRes) for package: ossec-hids-server-2.6-14.el6.art.x86_64
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.14-1.el6 will be installed
---> Package perl-DBD-SQLite.x86_64 0:1.27-3.el6 will be installed
---> Package perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch        Version                   Repository   Size
================================================================================
Installing:
 ossec-hids             x86_64      2.6-14.el6.art            atomic       50 k
 ossec-hids-server      x86_64      2.6-14.el6.art            atomic      779 k
Installing for dependencies:
 inotify-tools          x86_64      3.14-1.el6                epel         46 k
 perl-DBD-SQLite        x86_64      1.27-3.el6                base         83 k
 perl-Time-HiRes        x86_64      4:1.9721-119.el6_1.1      base         46 k

Transaction Summary
================================================================================
Install       5 Package(s)

Total download size: 1.0 M
Installed size: 6.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): inotify-tools-3.14-1.el6.x86_64.rpm               |  46 kB     00:00     
(2/5): ossec-hids-2.6-14.el6.art.x86_64.rpm              |  50 kB     00:00     
(3/5): ossec-hids-server-2.6-14.el6.art.x86_64.rpm       | 779 kB     00:00     
(4/5): perl-DBD-SQLite-1.27-3.el6.x86_64.rpm             |  83 kB     00:00     
(5/5): perl-Time-HiRes-1.9721-119.el6_1.1.x86_64.rpm     |  46 kB     00:00     
--------------------------------------------------------------------------------
Total                                           953 kB/s | 1.0 MB     00:01     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 5ebd2744: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Importing GPG key 0x5EBD2744:
 Userid : Atomic Rocket Turtle 
 Package: atomic-release-1.0-14.el6.art.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
 Userid : EPEL (6) 
 Package: epel-release-6-5.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : perl-DBD-SQLite-1.27-3.el6.x86_64                            1/5 
  Installing : inotify-tools-3.14-1.el6.x86_64                              2/5 
  Installing : ossec-hids-2.6-14.el6.art.x86_64                             3/5 
  Installing : 4:perl-Time-HiRes-1.9721-119.el6_1.1.x86_64                  4/5 
  Installing : ossec-hids-server-2.6-14.el6.art.x86_64                      5/5 

Installed:
  ossec-hids.x86_64 0:2.6-14.el6.art  ossec-hids-server.x86_64 0:2.6-14.el6.art 

Dependency Installed:
  inotify-tools.x86_64 0:3.14-1.el6                                             
  perl-DBD-SQLite.x86_64 0:1.27-3.el6                                           
  perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1                                   

Complete!
$

Start the server with:

[stmiller@centos ~]$ sudo service ossec-hids start
Starting ossec-hids:                                       [  OK  ]
[stmiller@centos ~]$ 

Ok, now what!?

OSSEC at initial install is a very much a clean slate. Configuring what hosts it collects from, what type of logs, and how email notifications are to be sent must be configured based on the environment or company’s needs.

From the above packages, configuration files are located in the following two locations:

[stmiller@centos ~]$ sudo ls /usr/share/ossec/contrib/
add_localfile.sh    ossec2mysql.conf  ossec-batch-manager.pl   ossectop.pl
compile_alerts.pl   ossec2mysqld.pl   ossecmysql.pm
compile_alerts.txt  ossec2mysql.pl    ossec_report_contrib.pl
config2xml	    ossec2mysql.sql   ossec_report.txt

[stmiller@centos ~]$ sudo ls /var/ossec/
active-response  agentless  bin  etc  logs  queue  rules  stats  tmp  var

The main config file is:

/var/ossec/etc/ossec.conf


Agent vs Agentless

OSSEC can poll data via two different methods agent and agentless:

http://www.ossec.net/doc/manual/agent/index.html

The easiest setup is to use agents, in which unique IDs and keys are setup for each host for easy management. Agents also provide the most comprehensive monitoring and is in general the way to go. Agents can work for DHCP environments as well. Port 1514 UDP is the only required port that OSSEC opens server side. If there is a firewall between OSSEC server and agents, open UDP 1514.

Below is the doc on setting up agentless monitoring. Note the limitations in agentless monitoring (no log monitoring at this time):

http://www.ossec.net/doc/manual/agent/agentless-monitoring.html

Ok that should help get OSSEC installed and whet your appetite! To continue with configuration, see this excellent doc.


Web Interface

OSSEC has an optional web interface. From popular demand, here are some quick setup instructions! I will elaborate later if needed.

1.

$ wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

2.

$ tar xvf ossec-wui-0.3.tar.gz

$ sudo mv ossec-wui-0.3 /var/www/html/ossec-wui

3.

$ cd /var/www/html/ossec-wui 
$ sudo ./setup.sh

4.

$ sudo gpasswd -a apache ossec
Adding user apache to group ossec

5.

$ sudo -s

# cd /var/ossec

# chmod 770 tmp/
# chgrp apache tmp/

6.

$ sudo /etc/init.d/ossec-hids restart
Starting ossec-hids:                                       [  OK  ]


7.
$ sudo /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Now the Web interface is available at:

http://host_or_ip_/ossec-wui/

ossec_web