Install OSSEC on Red Hat or CentOS

OSSEC is an open source centralized log monitoring and notification system. OSSEC is often used to meet PCI Compliance central logging and intrusion monitoring requirements with a free and self-managed solution. OSSEC monitors all types of logs such as syslog, apache, maillogs, mysql logs, ftp logs, cisco IOS logs, and more. I’ll show you how to install OSSEC on the latest Red Hat Linux or CentOS 6!

First add the EPEL repository to meet an inotify-tools dependency.

$ sudo rpm -Uvh

Next fetch and run the atomic repository script to add their repository:

$ wget && sudo chmod +x atomic && sudo ./atomic

Now install ossec server. Note that the client is also available (ossec-hids-client)

$ sudo yum install ossec-hids ossec-hids-server
$ sudo yum install ossec-hids ossec-hids-server
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
 * atomic:
 * base:
 * epel:
 * extras:
 * updates:
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 will be installed
--> Processing Dependency: inotify-tools for package:
---> Package ossec-hids-server.x86_64 will be installed
--> Processing Dependency: perl-DBD-SQLite for package:
--> Processing Dependency: perl(Time::HiRes) for package:
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.14-1.el6 will be installed
---> Package perl-DBD-SQLite.x86_64 0:1.27-3.el6 will be installed
---> Package perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                Arch        Version                   Repository   Size
 ossec-hids             x86_64            atomic       50 k
 ossec-hids-server      x86_64            atomic      779 k
Installing for dependencies:
 inotify-tools          x86_64      3.14-1.el6                epel         46 k
 perl-DBD-SQLite        x86_64      1.27-3.el6                base         83 k
 perl-Time-HiRes        x86_64      4:1.9721-119.el6_1.1      base         46 k

Transaction Summary
Install       5 Package(s)

Total download size: 1.0 M
Installed size: 6.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): inotify-tools-3.14-1.el6.x86_64.rpm               |  46 kB     00:00     
(2/5):              |  50 kB     00:00     
(3/5):       | 779 kB     00:00     
(4/5): perl-DBD-SQLite-1.27-3.el6.x86_64.rpm             |  83 kB     00:00     
(5/5): perl-Time-HiRes-1.9721-119.el6_1.1.x86_64.rpm     |  46 kB     00:00     
Total                                           953 kB/s | 1.0 MB     00:01     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 5ebd2744: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/
Importing GPG key 0x5EBD2744:
 Userid : Atomic Rocket Turtle 
 Package: (installed)
 From   : /etc/pki/rpm-gpg/
Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
 Userid : EPEL (6) 
 Package: epel-release-6-5.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : perl-DBD-SQLite-1.27-3.el6.x86_64                            1/5 
  Installing : inotify-tools-3.14-1.el6.x86_64                              2/5 
  Installing :                             3/5 
  Installing : 4:perl-Time-HiRes-1.9721-119.el6_1.1.x86_64                  4/5 
  Installing :                      5/5 

  ossec-hids.x86_64  ossec-hids-server.x86_64 

Dependency Installed:
  inotify-tools.x86_64 0:3.14-1.el6                                             
  perl-DBD-SQLite.x86_64 0:1.27-3.el6                                           
  perl-Time-HiRes.x86_64 4:1.9721-119.el6_1.1                                   


Start the server with:

[stmiller@centos ~]$ sudo service ossec-hids start
Starting ossec-hids:                                       [  OK  ]
[stmiller@centos ~]$

From the above packages, configuration files are located in the following two locations:

[stmiller@centos ~]$ sudo ls /usr/share/ossec/contrib/    ossec2mysql.conf
config2xml         ossec2mysql.sql   ossec_report.txt
[stmiller@centos ~]$ sudo ls /var/ossec/
active-response  agentless  bin  etc  logs  queue  rules  stats  tmp  var

The main config file is:


Agent vs Agentless

OSSEC can poll data via two different methods agent and agentless:

The easiest setup is to use agents, in which unique IDs and keys are setup for each host for easy management. Agents also provide the most comprehensive monitoring and is in general the way to go. Agents can work for DHCP environments as well. Port 1514 UDP is the only required port that OSSEC opens server side. If there is a firewall between OSSEC server and agents, open UDP 1514.

Below is the doc on setting up agentless monitoring. Note the limitations in agentless monitoring (no log monitoring at this time):

Ok that should help get OSSEC installed and whet your appetite! To continue with configuration, seethis excellent doc.

Web Interface

OSSEC has an optional web interface. From popular demand, here are some quick setup instructions! I will elaborate later if needed.


$ wget


$ tar xvf ossec-wui-0.3.tar.gz

$ sudo mv ossec-wui-0.3 /var/www/html/ossec-wui


$ cd /var/www/html/ossec-wui 
$ sudo ./


$ sudo gpasswd -a apache ossec
Adding user apache to group ossec


$ sudo -s

# cd /var/ossec

# chmod 770 tmp/
# chgrp apache tmp/


$ sudo /etc/init.d/ossec-hids restart
Starting ossec-hids:                                       [  OK  ]


$ sudo /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Now the Web interface is available at:



Leave a comment

Leave your opinion

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: