How to Install OSSEC on Red Hat or CentOS 6

By | 2012/07/08

OSSEC is an open source centralized log monitoring and notification system. OSSEC is often used to meet PCI Compliance central logging and intrusion monitoring requirements with a free and self-managed solution. OSSEC monitors all types of logs such as syslog, apache, maillogs, mysql logs, ftp logs, cisco IOS logs, and more. I’ll show you how to install OSSEC on the latest Red Hat Linux or CentOS 6!


Note: this guide uses the following repositories:

– EPEL
– Atomicorp.com


First add the EPEL repository to meet an inotify-tools dependency.

$ sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm


Next fetch and run the atomic repository script to add their repository:

$ wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic

Now install ossec server. Note that the client is also available (ossec-hids-client)

$ sudo yum install ossec-hids ossec-hids-server
$ sudo yum install ossec-hids ossec-hids-server
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.aol.com
 * epel: mirror.symnds.com
 * extras: centos.aol.com
 * updates: mirror.lug.udel.edu
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.6-14.el6.art will be installed
--> Processing Dependency: inotify-tools for package: ossec-hids-2.6-14.el6.art.x86_64
---> Package ossec-hids-server.x86_64 0:2.6-14.el6.art will be installed
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-server-2.6-14.el6.art.x86_64
--> Processing Dependency: perl(Time::HiRes) for package: ossec-hids-server-2.6-14.el6.art.x86_64
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.14-1.el6 will be installed
---> Package perl-DBD-SQLite.x86_64 0:1.27-3.el6 will be installed
---> Package perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch        Version                   Repository   Size
================================================================================
Installing:
 ossec-hids             x86_64      2.6-14.el6.art            atomic       50 k
 ossec-hids-server      x86_64      2.6-14.el6.art            atomic      779 k
Installing for dependencies:
 inotify-tools          x86_64      3.14-1.el6                epel         46 k
 perl-DBD-SQLite        x86_64      1.27-3.el6                base         83 k
 perl-Time-HiRes        x86_64      4:1.9721-119.el6_1.1      base         46 k

Transaction Summary
================================================================================
Install       5 Package(s)

Total download size: 1.0 M
Installed size: 6.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): inotify-tools-3.14-1.el6.x86_64.rpm               |  46 kB     00:00     
(2/5): ossec-hids-2.6-14.el6.art.x86_64.rpm              |  50 kB     00:00     
(3/5): ossec-hids-server-2.6-14.el6.art.x86_64.rpm       | 779 kB     00:00     
(4/5): perl-DBD-SQLite-1.27-3.el6.x86_64.rpm             |  83 kB     00:00     
(5/5): perl-Time-HiRes-1.9721-119.el6_1.1.x86_64.rpm     |  46 kB     00:00     
--------------------------------------------------------------------------------
Total                                           953 kB/s | 1.0 MB     00:01     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 5ebd2744: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Importing GPG key 0x5EBD2744:
 Userid : Atomic Rocket Turtle 
 Package: atomic-release-1.0-14.el6.art.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
 Userid : EPEL (6) 
 Package: epel-release-6-5.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : perl-DBD-SQLite-1.27-3.el6.x86_64                            1/5 
  Installing : inotify-tools-3.14-1.el6.x86_64                              2/5 
  Installing : ossec-hids-2.6-14.el6.art.x86_64                             3/5 
  Installing : 4:perl-Time-HiRes-1.9721-119.el6_1.1.x86_64                  4/5 
  Installing : ossec-hids-server-2.6-14.el6.art.x86_64                      5/5 

Installed:
  ossec-hids.x86_64 0:2.6-14.el6.art  ossec-hids-server.x86_64 0:2.6-14.el6.art 

Dependency Installed:
  inotify-tools.x86_64 0:3.14-1.el6                                             
  perl-DBD-SQLite.x86_64 0:1.27-3.el6                                           
  perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1                                   

Complete!
$

Start the server with:

[stmiller@centos ~]$ sudo service ossec-hids start
Starting ossec-hids:                                       [  OK  ]
[stmiller@centos ~]$ 

Ok, now what!?

OSSEC at initial install is a very much a clean slate. Configuring what hosts it collects from, what type of logs, and how email notifications are to be sent must be configured based on the environment or company’s needs.

From the above packages, configuration files are located in the following two locations:

[stmiller@centos ~]$ sudo ls /usr/share/ossec/contrib/
add_localfile.sh    ossec2mysql.conf  ossec-batch-manager.pl   ossectop.pl
compile_alerts.pl   ossec2mysqld.pl   ossecmysql.pm
compile_alerts.txt  ossec2mysql.pl    ossec_report_contrib.pl
config2xml	    ossec2mysql.sql   ossec_report.txt

[stmiller@centos ~]$ sudo ls /var/ossec/
active-response  agentless  bin  etc  logs  queue  rules  stats  tmp  var

The main config file is:

/var/ossec/etc/ossec.conf


Agent vs Agentless

OSSEC can poll data via two different methods agent and agentless:

http://www.ossec.net/doc/manual/agent/index.html

The easiest setup is to use agents, in which unique IDs and keys are setup for each host for easy management. Agents also provide the most comprehensive monitoring and is in general the way to go. Agents can work for DHCP environments as well. Port 1514 UDP is the only required port that OSSEC opens server side. If there is a firewall between OSSEC server and agents, open UDP 1514.

Below is the doc on setting up agentless monitoring. Note the limitations in agentless monitoring (no log monitoring at this time):

http://www.ossec.net/doc/manual/agent/agentless-monitoring.html

Ok that should help get OSSEC installed and whet your appetite! To continue with configuration, see this excellent doc.


Web Interface

OSSEC has an optional web interface. From popular demand, here are some quick setup instructions! I will elaborate later if needed.

1.

$ wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

2.

$ tar xvf ossec-wui-0.3.tar.gz

$ sudo mv ossec-wui-0.3 /var/www/html/ossec-wui

3.

$ cd /var/www/html/ossec-wui 
$ sudo ./setup.sh

4.

$ sudo gpasswd -a apache ossec
Adding user apache to group ossec

5.

$ sudo -s

# cd /var/ossec

# chmod 770 tmp/
# chgrp apache tmp/

6.

$ sudo /etc/init.d/ossec-hids restart
Starting ossec-hids:                                       [  OK  ]


7.
$ sudo /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Now the Web interface is available at:

http://host_or_ip_/ossec-wui/

ossec_web

16 thoughts on “How to Install OSSEC on Red Hat or CentOS 6

  1. KJS

    @Kim @descompress Why would you install a web gui for a security application!? Edit the config files…

    Reply
  2. Tommy

    We were going to look at this, but Atomic is something that we *cannot* use, it would clash with too many of our other packages. Does the RPM require a bunch of stuff from atomic repo, or is it just the one inotify requirement from EPEL? You didn’t really say where you started from above or what else you might have installed.

    ~tommy

    Reply
  3. IT Master Services

    Thanks for sharing….however I am running this on a windows network and the error I am recieving is “httpd: could not reliably determin the servers fully qualified domain name” Any ideas….

    Reply
    1. Scott Miller Post author

      It’s a php app. So you can setup nginx with php via fastcgi as a possibility.

      Reply
  4. Doc Adams

    Hey we purchased an ossec appliance (linux). Now when I got to step 6, I ran into this problem:
    [root@ossec ossec]# chgrp apache tmp/
    [root@ossec ossec]# /etc/init.d/ossec-hids restart
    -bash: /etc/init.d/ossec-hids: No such file or directory

    How do I fix this issue? To complete the WUI install?

    Thanks,

    Doc

    Reply
  5. alexlinux

    Hello everyone,

    I was creating some OSSEC custom rules and decoders for a new project at work, but I found that when I use (extra_data, status,action,url,id,protocol and location) inside I can’t see the fields in /var/ossec/logs/alers/alerts.log. But when I use the same decoder whit (srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it’s works perfectly.

    I’ll give you an example:

    This is the log that I’m working at, I want to extract the path as extra_data :
    Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav

    This is my decoder:

    clamscan

    clamscan
    No supported database files found in
    (\S+)
    extra_data

    This is my rule :

    clamscan
    Grouping ClamAV rules.

    100300
    No supported database files found in
    Unsupported DB files found

    So, this is what I obtain when I execute the script /var/ossec/bin/ossec-logtest
    **Phase 1: Completed pre-decoding.
    full event: ‘Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav’
    hostname: ‘srv008’
    program_name: ‘clamscan’
    log: ‘LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav’

    **Phase 2: Completed decoding.
    decoder: ‘clamscan’
    extra_data: ‘/var/lib/clamav’

    **Phase 3: Completed filtering (rules).
    Rule id: ‘100304’
    Level: ‘8’
    Description: ‘Unsupported DB files found’
    **Alert to be generated.

    This is the log in /var/ossec/log/alerts/alerts.log
    ** Alert 1408365517.2903: mail – clamscan
    2014 Aug 10 08:38:37 srv008->/var/log/messages
    Rule: 100304 (level 8) -> ‘Unsupported DB files found’
    Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav

    As you can see there is not EXTRA DATA = /var/lib/clamav anywhere but if I use the exactly same decoder and rule but changing extra_data by (srcip,dstip,user,dstuser,srcuser,dstport,srcport,user) it works very well.

    This is the new output :
    ** Alert 1408365731.3332: mail – clamscan
    2014 Aug 10 08:42:11 srv008->/var/log/messages
    Rule: 100304 (level 8) -> ‘Unsupported DB files found’
    Src IP: /var/lib/clamav
    Aug 10 11:30:02 srv008 clamscan: LibClamAV Error: cli_loaddb(): No supported database files found in /var/lib/clamav

    In this case I used srcip.

    Thank you very much for your help!

    Reply
  6. Harry P.

    FYI: OpenNode is CentOS 6.5 based but the atomic script doesn’t recognize the distro because /etc/redhat-release contains “OpenNode release 6.5 (Build 6.2.0)” – under the hood, it’s just CentOS 6.5 – thus, temporarily changing the string back solves the problem – but it would probably be a good idea to update the script accordingly, so that it recognize OpenNode.

    OpenNode is a Proxmox-equivalent for virtualization using kvm or OpenVZ

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.