Set up OSSEC Host-based Intrusion Detection System with server-agent architecture, custom detection rules, email notifications, and real-time monitoring for comprehensive security monitoring across multiple systems.

Prerequisites

Root or sudo access
Minimum 2GB RAM
SMTP server access for email alerts
Multiple systems for agent deployment
Basic knowledge of Linux system administration

What this solves

OSSEC HIDS provides comprehensive host-based intrusion detection by monitoring system logs, file integrity, registry changes, and rootkit detection. This tutorial sets up a centralized OSSEC server with distributed agents, email alerting, and custom detection rules for enterprise security monitoring.

Step-by-step installation

Update system packages

Update your package manager to ensure you have the latest security patches and dependencies.

sudo apt update && sudo apt upgrade -y

sudo dnf update -y

Install required dependencies

Install build tools and development libraries needed for OSSEC compilation.

sudo apt install -y build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget curl postfix mailutils

sudo dnf install -y gcc gcc-c++ make libevent-devel zlib-devel openssl-devel pcre2-devel wget curl postfix mailx

Create OSSEC system user

Create dedicated system users for OSSEC processes with minimal privileges.

sudo groupadd ossec
sudo useradd -d /var/ossec -s /bin/false -g ossec ossec
sudo useradd -d /var/ossec -s /bin/false -g ossec ossecm
sudo useradd -d /var/ossec -s /bin/false -g ossec ossecr

Download and extract OSSEC

Download the latest OSSEC release and verify the installation package.

cd /tmp
wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0

Install OSSEC server

Run the interactive installation script for the OSSEC server configuration.

sudo ./install.sh

During installation, select these options:

What kind of installation: server
Installation path: /var/ossec
Email notification: y
SMTP server: 127.0.0.1
Email from: ossec@example.com
Email to: admin@example.com
Enable firewall response: y
Enable PCI DSS: n

Configure OSSEC server settings

Edit the main OSSEC configuration file to customize monitoring settings and email alerts.

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossec@example.com</email_from>
    <email_to>admin@example.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>600</agents_disconnection_time>
    <agents_disconnection_alert_time>1800</agents_disconnection_alert_time>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>

  <syscheck>
    <frequency>79200</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    <directories check_all="yes" realtime="yes">/var/www</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore type="sregex">\.log$|logs/</ignore>
  </syscheck>

  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <frequency>36000</frequency>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+\([[:digit:]]\+\)\ \+\([[:digit:]]\+\)\ \+\(.\):\([[:digit:]]\)\ \+\(.\):\([[:digit:]]\)\ \+\([[:alpha:]]\+\)\(.*\)/\1 \2 \3 \4:\5 \6:\7 \8 \9/' | sort -k 4 -g</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>udp</protocol>
    <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>
</ossec_config>

Configure email alerts

Set up Postfix for email notifications and configure OSSEC email rules.

sudo dpkg-reconfigure postfix

Select Internet Site and configure with your domain. Then create email alert rules:

<?xml version="1.0" encoding="UTF-8"?>
<group name="local,syslog,">
  <rule id="100001" level="5">
    <if_sid>5715</if_sid>
    <srcip>!192.168.0.0/16</srcip>
    <description>sshd: authentication success from external IP.</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100002" level="10" frequency="6" timeframe="120">
    <if_matched_sid>5716</if_matched_sid>
    <description>sshd: brute force attack (multiple failed logins).</description>
    <group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100003" level="12">
    <if_sid>550</if_sid>
    <match>ossec: File size reduced</match>
    <description>File size reduced. Possible data integrity violation.</description>
    <group>pci_dss_11.5,file_integrity,</group>
  </rule>

  <rule id="100004" level="7">
    <if_sid>1002</if_sid>
    <match>session opened for user root</match>
    <description>Root user login detected.</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>

  <rule id="100005" level="10" frequency="5" timeframe="300">
    <if_sid>31151</if_sid>
    <description>Multiple web server 4xx errors.</description>
    <group>web,attack,</group>
  </rule>
</group>

Configure firewall rules

Allow OSSEC agent connections and email traffic through the firewall.

sudo ufw allow 1514/udp comment "OSSEC Agent Communication"
sudo ufw allow 25/tcp comment "SMTP Email Alerts"
sudo ufw reload

sudo firewall-cmd --permanent --add-port=1514/udp --zone=public
sudo firewall-cmd --permanent --add-service=smtp --zone=public
sudo firewall-cmd --reload

Set proper permissions and ownership

Configure file permissions for OSSEC directories and files with proper security.

sudo chown -R ossec:ossec /var/ossec
sudo chmod -R 755 /var/ossec
sudo chmod 750 /var/ossec/etc
sudo chmod 640 /var/ossec/etc/ossec.conf
sudo chmod 750 /var/ossec/logs
sudo chmod 750 /var/ossec/queue

Never use chmod 777. It gives every user on the system full access to your files. Instead, fix ownership with chown and use minimal permissions.

Start OSSEC server

Enable and start the OSSEC server service with systemd integration.

sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossec

Install OSSEC agent on remote systems

Download and install OSSEC agent on systems you want to monitor.

cd /tmp
wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh

During agent installation, select:

Installation type: agent
Server IP: 203.0.113.10 (your OSSEC server IP)
Agent ID: 001 (unique for each agent)
Agent name: web-server-01

Add agents to OSSEC server

sudo /var/ossec/bin/manage_agents

In the management interface:

Press A to add agent
Agent ID: 001
Agent name: web-server-01
Agent IP: 203.0.113.20
Press E to extract key for agent 001

Copy the generated key to import on the agent system:

sudo /var/ossec/bin/manage_agents

Press I to import key and paste the authentication key from server.

Configure agent monitoring

Customize agent configuration for specific log files and monitoring targets.

<ossec_config>
  <client>
    <server>
      <address>203.0.113.10</address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>
    <config-profile>ubuntu, ubuntu22, ubuntu22.04</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>
  </client>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>

  <localfile>
    <log_format>nginx</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

  <localfile>
    <log_format>nginx</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <syscheck>
    <frequency>79200</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <directories check_all="yes" realtime="yes">/var/www</directories>
    <directories check_all="yes" realtime="yes">/etc/nginx</directories>
    <directories check_all="yes" realtime="yes">/etc/apache2</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore type="sregex">\.log$|logs/</ignore>
  </syscheck>

  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <frequency>36000</frequency>
  </rootcheck>
</ossec_config>

Start OSSEC agents

Enable and start OSSEC agents on monitored systems.

sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossec

Configure log rotation

Set up automatic log rotation to prevent disk space issues with OSSEC logs.

/var/ossec/logs/alerts/alerts.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 ossec ossec
    postrotate
        /var/ossec/bin/ossec-control restart > /dev/null 2>/dev/null || true
    endscript
}

/var/ossec/logs/ossec.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 ossec ossec
    postrotate
        /var/ossec/bin/ossec-control restart > /dev/null 2>/dev/null || true
    endscript
}

/var/ossec/logs/archives/archives.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 ossec ossec
    postrotate
        /var/ossec/bin/ossec-control restart > /dev/null 2>/dev/null || true
    endscript
}

Configure real-time monitoring dashboard

Install and configure OSSEC web UI for real-time monitoring and alert management.

sudo apt install -y apache2 php php-cli php-common libapache2-mod-php
cd /tmp
wget https://github.com/ossec/ossec-wui/archive/0.9.tar.gz
tar -xzf 0.9.tar.gz
sudo cp -r ossec-wui-0.9/* /var/www/html/ossec/
sudo chown -R www-data:www-data /var/www/html/ossec
sudo chmod 755 /var/www/html/ossec

sudo dnf install -y httpd php php-cli php-common
cd /tmp
wget https://github.com/ossec/ossec-wui/archive/0.9.tar.gz
tar -xzf 0.9.tar.gz
sudo cp -r ossec-wui-0.9/* /var/www/html/ossec/
sudo chown -R apache:apache /var/www/html/ossec
sudo chmod 755 /var/www/html/ossec
sudo systemctl enable --now httpd

Configure web UI permissions

Set up proper permissions for OSSEC web interface to read logs and statistics.

sudo usermod -a -G ossec www-data
sudo chmod g+r /var/ossec/logs/alerts/alerts.log
sudo chmod g+r /var/ossec/logs/ossec.log
sudo chmod g+rx /var/ossec/stats
sudo chmod g+r /var/ossec/stats/

Create Apache virtual host for OSSEC

Configure Apache virtual host with SSL and basic authentication for secure access.

<VirtualHost :80>
    ServerName ossec.example.com
    DocumentRoot /var/www/html/ossec
    
    <Directory /var/www/html/ossec>
        Options -Indexes
        AllowOverride All
        Require all granted
        AuthType Basic
        AuthName "OSSEC Dashboard"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
    
    ErrorLog ${APACHE_LOG_DIR}/ossec_error.log
    CustomLog ${APACHE_LOG_DIR}/ossec_access.log combined
</VirtualHost>

sudo htpasswd -c /etc/apache2/.htpasswd admin
sudo a2ensite ossec.conf
sudo systemctl reload apache2

Performance tuning configuration

Optimize OSSEC performance for high-volume environments and resource efficiency.

# Analysis options
analysisd.event_threads=4
analysisd.syscheck_threads=2
analysisd.syscollector_threads=1
analysisd.rootcheck_threads=1
analysisd.sca_threads=2
analysisd.hostinfo_threads=1
analysisd.winevt_threads=1
analysisd.other_threads=1
analysisd.min_rotate_interval=600

Remote daemon options
remoted.recv_counter_flush=128
remoted.comp_average_printout=19999
remoted.verify_msg_id=0
remoted.pass_empty_keyfile=1

Log collector options
logcollector.loop_timeout=2
logcollector.open_attempts=8
logcollector.vcheck_files=64
logcollector.max_lines=10000
logcollector.max_files=1000

Syscheck options
syscheck.sleep=2
syscheck.sleep_after=50
syscheck.rt_delay=30

Rootcheck options
rootcheck.sleep=2

Database options
dbd.reconnect_attempts=10

Verify your setup

Check OSSEC server status and verify agent connections are working properly.

sudo /var/ossec/bin/ossec-control status
sudo /var/ossec/bin/list_agents -c
sudo tail -f /var/ossec/logs/ossec.log

Test email alerts by generating a test event:

sudo /var/ossec/bin/ossec-logtest
sudo logger "OSSEC test alert - unauthorized access attempt"
sudo tail -f /var/ossec/logs/alerts/alerts.log

Verify web dashboard access:

curl -u admin:password http://localhost/ossec/
sudo systemctl status apache2

Common issues

Symptom	Cause	Fix
Agent not connecting	Firewall blocking port 1514	`sudo ufw allow 1514/udp` or check authentication keys
Email alerts not sending	Postfix not configured	`sudo dpkg-reconfigure postfix` and check SMTP settings
High CPU usage	Too many log files monitored	Reduce monitored files in ossec.conf or increase analysis threads
Web UI permission denied	Incorrect file ownership	`sudo chown -R www-data:www-data /var/www/html/ossec`
Disk space filling up	Log rotation not configured	Configure logrotate rules and check /var/ossec/logs size
False positive alerts	Default rules too sensitive	Tune alert levels in ossec.conf or create custom rules

Next steps

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash

set -euo pipefail

# OSSEC HIDS Installation Script
# Supports Ubuntu/Debian and RHEL-based distributions

# Color definitions
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m'

# Default configuration
OSSEC_VERSION="3.7.0"
SMTP_SERVER="127.0.0.1"
EMAIL_FROM=""
EMAIL_TO=""
INSTALL_DIR="/var/ossec"

usage() {
    echo "Usage: $0 [OPTIONS]"
    echo "Options:"
    echo "  --email-from EMAIL    Email address for OSSEC notifications"
    echo "  --email-to EMAIL      Email address to receive alerts"
    echo "  --smtp-server IP      SMTP server IP (default: 127.0.0.1)"
    echo "  --help               Show this help message"
    exit 1
}

log() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

warn() {
    echo -e "${YELLOW}[WARN]${NC} $1"
}

error() {
    echo -e "${RED}[ERROR]${NC} $1"
    exit 1
}

cleanup() {
    if [ $? -ne 0 ]; then
        warn "Installation failed. Cleaning up..."
        [ -d "/tmp/ossec-hids-${OSSEC_VERSION}" ] && rm -rf "/tmp/ossec-hids-${OSSEC_VERSION}"
        [ -f "/tmp/${OSSEC_VERSION}.tar.gz" ] && rm -f "/tmp/${OSSEC_VERSION}.tar.gz"
        systemctl stop ossec >/dev/null 2>&1 || true
        userdel ossecr >/dev/null 2>&1 || true
        userdel ossecm >/dev/null 2>&1 || true
        userdel ossec >/dev/null 2>&1 || true
        groupdel ossec >/dev/null 2>&1 || true
        [ -d "$INSTALL_DIR" ] && rm -rf "$INSTALL_DIR"
    fi
}

trap cleanup ERR

parse_args() {
    while [[ $# -gt 0 ]]; do
        case $1 in
            --email-from)
                EMAIL_FROM="$2"
                shift 2
                ;;
            --email-to)
                EMAIL_TO="$2"
                shift 2
                ;;
            --smtp-server)
                SMTP_SERVER="$2"
                shift 2
                ;;
            --help)
                usage
                ;;
            *)
                error "Unknown option: $1"
                ;;
        esac
    done
}

detect_distro() {
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        case "$ID" in
            ubuntu|debian) 
                PKG_MGR="apt"
                PKG_INSTALL="apt install -y"
                PKG_UPDATE="apt update && apt upgrade -y"
                MAIL_UTIL="mailutils"
                ;;
            almalinux|rocky|centos|rhel|ol|fedora) 
                PKG_MGR="dnf"
                PKG_INSTALL="dnf install -y"
                PKG_UPDATE="dnf update -y"
                MAIL_UTIL="mailx"
                ;;
            amzn) 
                PKG_MGR="yum"
                PKG_INSTALL="yum install -y"
                PKG_UPDATE="yum update -y"
                MAIL_UTIL="mailx"
                ;;
            *) 
                error "Unsupported distribution: $ID"
                ;;
        esac
    else
        error "Cannot detect distribution. /etc/os-release not found."
    fi
}

check_prerequisites() {
    if [[ $EUID -ne 0 ]]; then
        error "This script must be run as root"
    fi

    if [ -z "$EMAIL_FROM" ] || [ -z "$EMAIL_TO" ]; then
        error "Email configuration required. Use --email-from and --email-to options"
    fi

    for cmd in wget tar gcc make; do
        if ! command -v $cmd &> /dev/null; then
            error "Required command not found: $cmd"
        fi
    done
}

update_system() {
    log "[1/10] Updating system packages..."
    eval $PKG_UPDATE
}

install_dependencies() {
    log "[2/10] Installing dependencies..."
    if [ "$PKG_MGR" = "apt" ]; then
        $PKG_INSTALL build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget curl postfix $MAIL_UTIL
    else
        $PKG_INSTALL gcc gcc-c++ make libevent-devel zlib-devel openssl-devel pcre2-devel wget curl postfix $MAIL_UTIL
    fi
}

create_users() {
    log "[3/10] Creating OSSEC system users..."
    if ! getent group ossec >/dev/null 2>&1; then
        groupadd ossec
    fi
    
    for user in ossec ossecm ossecr; do
        if ! id "$user" >/dev/null 2>&1; then
            useradd -d $INSTALL_DIR -s /bin/false -g ossec $user
        fi
    done
}

download_ossec() {
    log "[4/10] Downloading OSSEC HIDS..."
    cd /tmp
    if [ ! -f "${OSSEC_VERSION}.tar.gz" ]; then
        wget "https://github.com/ossec/ossec-hids/archive/${OSSEC_VERSION}.tar.gz"
    fi
    
    if [ -d "ossec-hids-${OSSEC_VERSION}" ]; then
        rm -rf "ossec-hids-${OSSEC_VERSION}"
    fi
    tar -xzf "${OSSEC_VERSION}.tar.gz"
    cd "ossec-hids-${OSSEC_VERSION}"
}

install_ossec() {
    log "[5/10] Installing OSSEC server..."
    
    # Create automated installation script
    cat > /tmp/ossec_install_answers.txt << EOF
server
${INSTALL_DIR}
y
${SMTP_SERVER}
${EMAIL_FROM}
${EMAIL_TO}
y
n
EOF

    # Run installation with answers
    ./install.sh < /tmp/ossec_install_answers.txt
    rm -f /tmp/ossec_install_answers.txt
}

configure_ossec() {
    log "[6/10] Configuring OSSEC settings..."
    
    cat > "${INSTALL_DIR}/etc/ossec.conf" << EOF
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <smtp_server>${SMTP_SERVER}</smtp_server>
    <email_from>${EMAIL_FROM}</email_from>
    <email_to>${EMAIL_TO}</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>600</agents_disconnection_time>
    <agents_disconnection_alert_time>1800</agents_disconnection_alert_time>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>web_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>udp</protocol>
  </remote>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <syscheck>
    <frequency>79200</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
  </syscheck>

  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <frequency>36000</frequency>
  </rootcheck>

  <active-response>
    <disabled>no</disabled>
    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
    <ca_verification>yes</ca_verification>
  </active-response>
</ossec_config>
EOF

    chown root:ossec "${INSTALL_DIR}/etc/ossec.conf"
    chmod 640 "${INSTALL_DIR}/etc/ossec.conf"
}

setup_service() {
    log "[7/10] Setting up OSSEC service..."
    
    "${INSTALL_DIR}/bin/ossec-control" start
    
    # Create systemd service if it doesn't exist
    if [ ! -f /etc/systemd/system/ossec.service ]; then
        cat > /etc/systemd/system/ossec.service << EOF
[Unit]
Description=OSSEC HIDS
After=network.target

[Service]
Type=forking
ExecStart=${INSTALL_DIR}/bin/ossec-control start
ExecStop=${INSTALL_DIR}/bin/ossec-control stop
ExecReload=${INSTALL_DIR}/bin/ossec-control restart
PIDFile=${INSTALL_DIR}/var/run/ossec-hids.pid

[Install]
WantedBy=multi-user.target
EOF

        systemctl daemon-reload
        systemctl enable ossec
    fi
}

configure_firewall() {
    log "[8/10] Configuring firewall..."
    
    if command -v ufw &> /dev/null; then
        ufw allow 1514/udp comment "OSSEC Agent Communication"
    elif command -v firewall-cmd &> /dev/null; then
        firewall-cmd --permanent --add-port=1514/udp
        firewall-cmd --reload
    elif command -v iptables &> /dev/null; then
        iptables -A INPUT -p udp --dport 1514 -j ACCEPT
        if [ "$PKG_MGR" = "apt" ]; then
            iptables-save > /etc/iptables/rules.v4
        else
            iptables-save > /etc/sysconfig/iptables
        fi
    fi
}

setup_permissions() {
    log "[9/10] Setting up proper permissions..."
    
    chown -R root:ossec "$INSTALL_DIR"
    chmod -R 750 "$INSTALL_DIR"
    chmod 755 "$INSTALL_DIR/bin"/*
    chmod 644 "$INSTALL_DIR/etc"/*.conf
    chmod 640 "$INSTALL_DIR/etc/ossec.conf"
}

verify_installation() {
    log "[10/10] Verifying installation..."
    
    if ! systemctl is-active --quiet ossec; then
        error "OSSEC service is not running"
    fi
    
    if [ ! -f "${INSTALL_DIR}/logs/ossec.log" ]; then
        error "OSSEC log file not found"
    fi
    
    if ! "${INSTALL_DIR}/bin/ossec-control" status | grep -q "ossec-monitord is running"; then
        error "OSSEC monitor daemon is not running"
    fi
    
    log "OSSEC HIDS installation completed successfully!"
    log "Configuration file: ${INSTALL_DIR}/etc/ossec.conf"
    log "Log files: ${INSTALL_DIR}/logs/"
    log "Control script: ${INSTALL_DIR}/bin/ossec-control"
    log "Add agents with: ${INSTALL_DIR}/bin/manage_agents"
}

main() {
    parse_args "$@"
    detect_distro
    check_prerequisites
    update_system
    install_dependencies
    create_users
    download_ossec
    install_ossec
    configure_ossec
    setup_service
    configure_firewall
    setup_permissions
    verify_installation
}

main "$@"

Review the script before running. Execute with: bash install.sh

#ossec #hids #intrusion-detection #security-monitoring #log-analysis #real-time-alerts #ossec-server #ossec-agent

Configure OSSEC HIDS for intrusion detection with email alerts and real-time monitoring