Set up comprehensive host-based intrusion detection with OSSEC HIDS and Wazuh manager for real-time security monitoring, file integrity checking, and automated threat response across your infrastructure.
Prerequisites
- Server with at least 4GB RAM
- Root or sudo access
- Basic understanding of Linux system administration
- Email server or SMTP relay for notifications
What this solves
OSSEC HIDS (Host-based Intrusion Detection System) combined with Wazuh provides comprehensive real-time security monitoring for your servers. This setup detects unauthorized file changes, monitors system logs for suspicious activity, and automatically responds to security threats through active response rules.
Step-by-step installation
Update system packages
Start by updating your package manager and installing required dependencies for the security monitoring stack.
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl apt-transport-https lsb-release gnupg2Add Wazuh repository
Add the official Wazuh repository to install the latest stable version with security updates and patches.
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list
sudo apt updateInstall Wazuh manager
Install the Wazuh manager which will serve as the central server for collecting and analyzing security events from OSSEC agents.
sudo apt install -y wazuh-managerInstall OSSEC agent locally
Install the OSSEC agent on the same server to monitor local system activity and demonstrate the manager-agent communication.
sudo apt install -y wazuh-agentConfigure Wazuh manager
Configure the main Wazuh manager settings including alert levels, email notifications, and log analysis rules.
yes
localhost
wazuh@example.com
admin@example.com
12
alerts.log
10m
0
3
7
secure
1514
udp
no
1515
no
yes
yes
HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
Configure file integrity monitoring
Set up real-time file integrity monitoring for critical system directories and configuration files.
no
300
yes
no
yes
^/proc
^/sys
/var/log
/etc,/usr/bin,/usr/sbin
/bin,/sbin
/var/www
/etc/passwd,/etc/shadow,/etc/group
/etc/hosts,/etc/ssh/sshd_config
Configure log monitoring
Set up comprehensive log file monitoring for system authentication, web server access, and security events.
syslog
/var/log/auth.log
syslog
/var/log/syslog
syslog
/var/log/dpkg.log
apache
/var/log/apache2/access.log
apache
/var/log/apache2/error.log
nginx
/var/log/nginx/access.log
nginx
/var/log/nginx/error.log
Configure active response
Set up automated response actions to block IP addresses after multiple failed login attempts and other suspicious activities.
firewall-drop
firewall-drop
yes
host-deny
host-deny
yes
route-null
route-null
yes
no
firewall-drop
local
5720
600
no
firewall-drop
local
5763
600
no
host-deny
local
5720
600
Configure agent connection
Configure the OSSEC agent to connect to the local Wazuh manager for demonstration purposes.
127.0.0.1
1514
udp
ubuntu, ubuntu24, ubuntu24.04
10
60
yes
aes
Set proper file permissions
Configure secure file permissions for OSSEC configuration files and directories. The ossec user needs read access to configuration files, while sensitive files require restricted access.
sudo chown root:ossec /var/ossec/etc/ossec.conf
sudo chmod 640 /var/ossec/etc/ossec.conf
sudo chown -R ossec:ossec /var/ossec/logs
sudo chmod 750 /var/ossec/logs
sudo chown -R root:ossec /var/ossec/etc
sudo chmod -R 640 /var/ossec/etc/*Start and enable services
Enable both the Wazuh manager and agent services to start automatically on boot and begin monitoring.
sudo systemctl enable --now wazuh-manager
sudo systemctl enable --now wazuh-agent
sudo systemctl status wazuh-manager
sudo systemctl status wazuh-agentRegister the agent
Register the local OSSEC agent with the Wazuh manager using the agent registration process.
sudo /var/ossec/bin/agent-auth -m 127.0.0.1 -p 1515
sudo systemctl restart wazuh-agentConfigure email notifications
Set up email notifications by configuring a local mail server or external SMTP relay for security alerts.
sudo apt install -y postfix mailutils
sudo systemctl enable --now postfixInstall Wazuh dashboard
Install the Wazuh dashboard for web-based security event visualization and management. First, install the required Elasticsearch and Wazuh indexer.
sudo apt install -y wazuh-indexer wazuh-dashboard
sudo systemctl enable --now wazuh-indexer
sudo systemctl enable --now wazuh-dashboardConfigure firewall rules
Open required ports for Wazuh manager communication and dashboard access while maintaining security.
sudo ufw allow 1514/udp comment 'Wazuh agent communication'
sudo ufw allow 1515/tcp comment 'Wazuh agent registration'
sudo ufw allow 443/tcp comment 'Wazuh dashboard HTTPS'
sudo ufw allow 5601/tcp comment 'Wazuh dashboard HTTP'
sudo ufw reload
sudo ufw status numberedVerify your setup
Test the intrusion detection system by checking service status, agent connectivity, and generating test alerts.
sudo systemctl status wazuh-manager wazuh-agent wazuh-indexer wazuh-dashboard
sudo /var/ossec/bin/agent_control -l
sudo tail -f /var/ossec/logs/alerts/alerts.log
Generate test alert
echo "test" | sudo tee -a /etc/passwd
sudo rm /tmp/test_file 2>/dev/null || echo "File not found - this will generate an alert"
Check agent status
sudo /var/ossec/bin/agent_control -s
View recent alerts
sudo /var/ossec/bin/agent_control -a 000Configure advanced monitoring rules
Create custom detection rules
Add custom rules for detecting specific security threats relevant to your environment.
5720
Failed password
5
300
Multiple SSH authentication failures
authentication_failures
5551
su: FAILED
3
120
Multiple failed su attempts - possible privilege escalation
privilege_escalation
550
Integrity checksum changed
Critical system file modified
file_integrity
Configure CIS benchmarks monitoring
Enable CIS (Center for Internet Security) benchmark compliance monitoring for your operating system.
yes
yes
12h
yes
cis_ubuntu2204.yml
cis_debian11.yml
sca_unix_audit.yml
Restart services to apply changes
Restart the Wazuh manager to load the new custom rules and security configuration policies.
sudo systemctl restart wazuh-manager
sudo systemctl restart wazuh-agent
sudo tail -f /var/ossec/logs/ossec.logDashboard access and integration
Access the Wazuh dashboard at https://your-server-ip:443 or http://your-server-ip:5601. The default credentials are admin/admin, which you should change immediately after first login. The dashboard provides real-time security event visualization, compliance reporting, and alert management capabilities that integrate with your existing monitoring infrastructure like Prometheus and Grafana monitoring.
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Agent not connecting to manager | Firewall blocking port 1514 | sudo ufw allow 1514/udp && sudo ufw reload |
| File integrity alerts not working | Incorrect directory permissions | sudo chown -R ossec:ossec /var/ossec && sudo chmod 750 /var/ossec |
| Email alerts not sending | SMTP server not configured | Configure postfix: sudo dpkg-reconfigure postfix |
| Dashboard not accessible | Elasticsearch not running | sudo systemctl start wazuh-indexer && sudo systemctl status wazuh-indexer |
| High false positive alerts | Default rules too sensitive | Tune alert levels in /var/ossec/etc/ossec.conf and restart services |
| Active response not blocking IPs | Firewall integration not working | Check /var/ossec/active-response/bin/firewall-drop permissions and iptables rules |
| Agent registration fails | Authentication key mismatch | sudo /var/ossec/bin/manage_agents and regenerate keys |
Next steps
- Set up OSSEC agent deployment across multiple servers
- Configure centralized logging with rsyslog for security events
- Implement NGINX rate limiting and DDoS protection
- Integrate Wazuh with Elasticsearch cluster for scalable log analysis
- Configure Wazuh API for automation and custom security integrations
Automated install script
Run this to automate the entire setup
#!/usr/bin/env bash
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Default values
MANAGER_IP="${1:-127.0.0.1}"
usage() {
echo "Usage: $0 [MANAGER_IP]"
echo " MANAGER_IP: IP address of Wazuh manager (default: 127.0.0.1)"
exit 1
}
log() {
echo -e "${GREEN}[$(date '+%Y-%m-%d %H:%M:%S')] $1${NC}"
}
warn() {
echo -e "${YELLOW}[$(date '+%Y-%m-%d %H:%M:%S')] WARNING: $1${NC}"
}
error() {
echo -e "${RED}[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1${NC}"
}
cleanup() {
error "Installation failed. Cleaning up..."
systemctl stop wazuh-manager wazuh-indexer wazuh-dashboard 2>/dev/null || true
systemctl stop wazuh-agent 2>/dev/null || true
}
trap cleanup ERR
# Check if running as root
if [[ $EUID -ne 0 ]]; then
error "This script must be run as root"
exit 1
fi
# Detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update && apt upgrade -y"
PKG_INSTALL="apt install -y"
KEYRING_PATH="/usr/share/keyrings/wazuh.gpg"
REPO_FILE="/etc/apt/sources.list.d/wazuh.list"
FIREWALL_CMD="ufw allow"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
REPO_FILE="/etc/yum.repos.d/wazuh.repo"
FIREWALL_CMD="firewall-cmd --permanent --add-port"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
REPO_FILE="/etc/yum.repos.d/wazuh.repo"
FIREWALL_CMD="firewall-cmd --permanent --add-port"
;;
*)
error "Unsupported distribution: $ID"
exit 1
;;
esac
else
error "Cannot detect distribution"
exit 1
fi
log "[1/8] Updating system packages"
$PKG_UPDATE
log "[2/8] Installing dependencies"
if [[ "$PKG_MGR" == "apt" ]]; then
$PKG_INSTALL curl apt-transport-https lsb-release gnupg2
else
$PKG_INSTALL curl yum-utils
fi
log "[3/8] Adding Wazuh repository"
if [[ "$PKG_MGR" == "apt" ]]; then
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:$KEYRING_PATH --import
chmod 644 $KEYRING_PATH
echo "deb [signed-by=$KEYRING_PATH] https://packages.wazuh.com/4.x/apt/ stable main" > $REPO_FILE
apt update
else
rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
cat > $REPO_FILE << 'EOF'
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
fi
log "[4/8] Installing Wazuh components"
$PKG_INSTALL wazuh-manager wazuh-indexer wazuh-dashboard
log "[5/8] Configuring Wazuh"
# Configure indexer
cat > /etc/wazuh-indexer/opensearch.yml << EOF
network.host: 0.0.0.0
node.name: node-1
cluster.initial_master_nodes:
- node-1
cluster.name: wazuh-cluster
discovery.seed_hosts:
- 127.0.0.1
plugins.security.ssl.transport.pemcert_filepath: certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
EOF
# Generate certificates
/usr/share/wazuh-indexer/bin/indexer-security-admin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -icl -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem
# Configure manager
cat >> /var/ossec/etc/ossec.conf << 'EOF'
<syscheck>
<disabled>no</disabled>
<frequency>79200</frequency>
<scan_on_start>yes</scan_on_start>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>43200</frequency>
</rootcheck>
EOF
# Add custom rules
cat > /var/ossec/etc/rules/local_rules.xml << 'EOF'
<group name="local,syslog,">
<rule id="100001" level="10" frequency="5" timeframe="300">
<if_matched_sid>5720</if_matched_sid>
<description>Multiple SSH authentication failures</description>
<group>authentication_failures</group>
</rule>
<rule id="100002" level="10" frequency="3" timeframe="120">
<if_matched_sid>5551</if_matched_sid>
<description>Multiple failed su attempts - possible privilege escalation</description>
<group>privilege_escalation</group>
</rule>
<rule id="100003" level="12">
<if_matched_sid>550</if_matched_sid>
<description>Critical system file modified</description>
<group>file_integrity</group>
</rule>
</group>
EOF
chown -R ossec:ossec /var/ossec/etc/rules/
chmod 640 /var/ossec/etc/rules/local_rules.xml
log "[6/8] Configuring firewall"
if command -v ufw &> /dev/null; then
ufw allow 1514/udp
ufw allow 1515/tcp
ufw allow 443/tcp
ufw allow 5601/tcp
ufw --force enable
elif command -v firewall-cmd &> /dev/null; then
firewall-cmd --permanent --add-port=1514/udp
firewall-cmd --permanent --add-port=1515/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=5601/tcp
firewall-cmd --reload
fi
log "[7/8] Starting services"
systemctl daemon-reload
systemctl enable wazuh-indexer wazuh-manager wazuh-dashboard
systemctl start wazuh-indexer
sleep 10
systemctl start wazuh-manager
systemctl start wazuh-dashboard
log "[8/8] Verifying installation"
if systemctl is-active --quiet wazuh-manager && systemctl is-active --quiet wazuh-indexer; then
log "Wazuh installation completed successfully!"
log "Dashboard: https://$(hostname -I | awk '{print $1}'):443"
log "Default credentials: admin/admin (change immediately)"
warn "Change default dashboard password after first login"
else
error "Some services failed to start"
exit 1
fi
log "Installation complete. Check /var/ossec/logs/ossec.log for manager logs"Review the script before running. Execute with: bash install.sh