Set up OSSEC HIDS with Splunk Universal Forwarder to centralize security events, create monitoring dashboards, and enable real-time threat correlation across your infrastructure.
Prerequisites
- Root access to server
- Splunk account for downloading Universal Forwarder
- Splunk indexer server accessible from monitored host
- Minimum 4GB RAM and 20GB disk space
What this solves
This integration sends OSSEC security alerts and logs to Splunk for centralized analysis, correlation, and visualization. You get unified security monitoring across multiple servers with advanced search capabilities and automated alerting.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you have the latest security patches.
sudo apt update && sudo apt upgrade -yInstall OSSEC HIDS dependencies
Install the required build tools and libraries for OSSEC compilation.
sudo apt install -y build-essential gcc make wget curl zlib1g-dev libpcre2-dev libevent-dev libssl-devDownload and compile OSSEC
Download the latest OSSEC release and compile it for your system.
cd /opt
sudo wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
sudo tar -xzf 3.7.0.tar.gz
sudo chown -R $(whoami):$(whoami) ossec-hids-3.7.0
cd ossec-hids-3.7.0
sudo ./install.shDuring installation, configure OSSEC as a local installation when prompted. Accept default paths and enable email notifications.
Configure OSSEC for log output
Modify OSSEC configuration to enable JSON output and configure log locations for Splunk ingestion.
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>ossec@example.com</email_from>
<email_to>admin@example.com</email_to>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<disabled>no</disabled>
<frequency>7200</frequency>
<scan_on_start>yes</scan_on_start>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/boot</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>7200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)[ \t]\([[:alnum:]]\+\)[ \t]\([[:alnum:]\.\/\:\\-]\+\)[ \t]\([[:alnum:]\.\/\:\\-]\+\)[ \t]\([[:alnum:]\-\/\.]\+\)[ \t]*\([[:alnum:]-\/\.]\+\)/\1 \2 \3 \4 \5 \6/' | sort</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>Start OSSEC service
Enable and start the OSSEC daemon to begin log collection and analysis.
sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossecDownload Splunk Universal Forwarder
Download the appropriate Splunk Universal Forwarder package for your Linux distribution.
cd /tmp
wget -O splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb "https://download.splunk.com/products/universalforwarder/releases/9.1.2/linux/splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.deb"Note: You need a Splunk account to download. Register at splunk.com if you don't have an account. For RHEL-based systems, download the RPM version instead.
Install Splunk Universal Forwarder
Install the Splunk Universal Forwarder package on your system.
sudo dpkg -i splunkforwarder-9.1.2-b6b9c8185839-linux-2.6-amd64.debConfigure Splunk Universal Forwarder
Start the forwarder and accept the license, then configure admin credentials.
sudo /opt/splunkforwarder/bin/splunk start --accept-license
sudo /opt/splunkforwarder/bin/splunk enable boot-startSet admin password when prompted. Use a strong password for security.
Add forward server configuration
Configure the forwarder to send data to your Splunk indexer. Replace the IP address with your Splunk server.
sudo /opt/splunkforwarder/bin/splunk add forward-server 203.0.113.10:9997Configure OSSEC log monitoring
Add OSSEC log files to the Splunk Universal Forwarder inputs configuration.
[monitor:///var/ossec/logs/alerts/alerts.log]
disabled = false
index = ossec
sourcetype = ossec:alerts
host_segment = 3
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = false
index = ossec
sourcetype = ossec:alerts:json
host_segment = 3
[monitor:///var/ossec/logs/ossec.log]
disabled = false
index = ossec
sourcetype = ossec:log
host_segment = 3
[monitor:///var/ossec/logs/archives/archives.log]
disabled = false
index = ossec
sourcetype = ossec:archives
host_segment = 3Create OSSEC index on Splunk
Create the dedicated OSSEC index configuration for your Splunk deployment.
[ossec]
homePath = $SPLUNK_DB/ossec/db
coldPath = $SPLUNK_DB/ossec/colddb
thawedPath = $SPLUNK_DB/ossec/thaweddb
maxDataSize = auto_high_volume
maxHotBuckets = 10
maxWarmDBCount = 300
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotSpanSecs = 7776000
compressRawdata = true
repFactor = autoConfigure log rotation for OSSEC
Set up log rotation to prevent disk space issues with OSSEC logs.
/var/ossec/logs/.log /var/ossec/logs//*.log {
daily
missingok
rotate 52
compress
notifempty
create 0660 ossec ossec
postrotate
/var/ossec/bin/ossec-control restart > /dev/null 2>&1 || true
endscript
}Restart services
Restart both OSSEC and Splunk Universal Forwarder to apply the new configurations.
sudo /var/ossec/bin/ossec-control restart
sudo /opt/splunkforwarder/bin/splunk restartConfigure Splunk props and transforms
Configure field extraction and parsing for OSSEC data in Splunk.
[ossec:alerts]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r?\n)\\ Alert ([0-9]+)
[ossec:alerts:json]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r?\n){"timestamp"
KV_MODE = json
TIME_PREFIX = "timestamp":"
TIME_FORMAT = %Y %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 10000
[ossec:log]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r?\n)\d{4}/\d{2}/\d{2}\s\d{2}:\d{2}:\d{2}
TIME_PREFIX = ^\d{4}/\d{2}/\d{2}\s
TIME_FORMAT = %Y/%m/%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
[ossec:archives]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\r?\n)\d{4}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
TIME_PREFIX = ^\d{4}\s\w{3}\s\d{2}\s
TIME_FORMAT = %Y %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20Set up Splunk dashboards and alerts
Create OSSEC security dashboard
Build a comprehensive dashboard for OSSEC security monitoring in Splunk.
index=ossec sourcetype=ossec:alerts:json
| stats count by rule.description, rule.level
| sort -count
| head 20Use this search to create panels showing top security alerts, rule distributions, and severity levels.
Configure real-time security alerts
Set up automated alerts for high-priority security events from OSSEC.
index=ossec sourcetype=ossec:alerts:json rule.level>=10
| eval severity=case(rule.level>=12,"Critical",rule.level>=10,"High",rule.level>=7,"Medium",1==1,"Low")
| table _time, agent.name, rule.description, rule.level, severity, full_logConfigure this as a real-time alert to trigger email or webhook notifications for critical security events.
Create file integrity monitoring dashboard
Monitor file system changes detected by OSSEC syscheck.
index=ossec sourcetype=ossec:alerts:json rule.groups="syscheck"
| eval change_type=case(match(rule.description,"added"),"File Added",match(rule.description,"modified"),"File Modified",match(rule.description,"deleted"),"File Deleted",1==1,"Other")
| stats count by change_type, syscheck.path, agent.name
| sort -countSet up rootkit detection alerts
Configure alerts for rootkit detection and system anomalies.
index=ossec sourcetype=ossec:alerts:json rule.groups="rootcheck"
| table _time, agent.name, rule.description, title, full_log
| sort -_timeCreate authentication monitoring dashboard
Monitor authentication events and potential brute force attacks.
index=ossec sourcetype=ossec:alerts:json (rule.groups="authentication_success" OR rule.groups="authentication_failed" OR rule.groups="authentication_failures")
| eval auth_result=case(match(rule.groups,"success"),"Success",match(rule.groups,"fail"),"Failed",1==1,"Other")
| stats count by auth_result, agent.name, srcip
| sort -countVerify your setup
Test the integration by checking log flow and generating test alerts.
# Check OSSEC status
sudo /var/ossec/bin/ossec-control status
Check Splunk forwarder status
sudo /opt/splunkforwarder/bin/splunk status
Generate test alert
sudo /var/ossec/bin/ossec-logtest
Verify log files are being written
sudo tail -f /var/ossec/logs/alerts/alerts.json
Check Splunk connection
sudo /opt/splunkforwarder/bin/splunk list forward-serverIn Splunk, verify data ingestion:
index=ossec | head 10Common issues
| Symptom | Cause | Fix |
|---|---|---|
| No data in Splunk | Forwarder not connected | Check network connectivity and verify forward-server configuration |
| OSSEC alerts not generating | Configuration syntax error | Run sudo /var/ossec/bin/ossec-control status and check /var/ossec/logs/ossec.log |
| Permission denied on log files | Incorrect file ownership | Run sudo chown -R ossec:ossec /var/ossec/logs and chmod 755 /var/ossec/logs |
| Splunk index not created | Missing index configuration | Create index manually in Splunk web interface or restart Splunk services |
| JSON parsing errors | Malformed JSON in logs | Verify OSSEC JSON output format and check props.conf configuration |
| High disk usage | Logs not rotating | Verify logrotate configuration and run sudo logrotate -f /etc/logrotate.d/ossec |
Next steps
- Integrate OSSEC with fail2ban for automated threat blocking
- Set up OSSEC active response for automated threat mitigation
- Add ClamAV antivirus scanning to your security monitoring stack
- Enable SSL encryption and authentication for Splunk deployment
- Deploy OSSEC across multiple servers with centralized management
Running this in production?
Want this handled for you? Running OSSEC and Splunk at scale adds complexity around capacity planning, data retention policies, alert tuning, and 24/7 incident response. See how we run security infrastructure like this for European teams.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# OSSEC-Splunk Integration Installation Script
# Production-ready script for installing and configuring OSSEC with Splunk integration
# Color definitions
readonly RED='\033[0;31m'
readonly GREEN='\033[0;32m'
readonly YELLOW='\033[1;33m'
readonly NC='\033[0m' # No Color
# Global variables
readonly OSSEC_VERSION="3.7.0"
readonly OSSEC_USER="ossec"
readonly OSSEC_GROUP="ossec"
readonly OSSEC_DIR="/var/ossec"
readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Logging function
log() {
echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" >&2
}
error() {
echo -e "${RED}[ERROR]${NC} $1" >&2
}
warn() {
echo -e "${YELLOW}[WARNING]${NC} $1" >&2
}
# Cleanup function for error handling
cleanup() {
local exit_code=$?
if [ $exit_code -ne 0 ]; then
error "Installation failed. Cleaning up..."
systemctl stop ossec 2>/dev/null || true
rm -rf /opt/ossec-hids-${OSSEC_VERSION} 2>/dev/null || true
rm -f /opt/${OSSEC_VERSION}.tar.gz 2>/dev/null || true
fi
exit $exit_code
}
trap cleanup ERR
usage() {
cat << EOF
Usage: $0 [OPTIONS]
Install and configure OSSEC with Splunk integration
OPTIONS:
-e EMAIL Email address for notifications (default: admin@localhost)
-s SMTP SMTP server (default: localhost)
-h Show this help message
Examples:
$0 -e admin@company.com -s mail.company.com
$0 -h
EOF
}
# Parse command line arguments
EMAIL="admin@localhost"
SMTP_SERVER="localhost"
while getopts "e:s:h" opt; do
case $opt in
e) EMAIL="$OPTARG" ;;
s) SMTP_SERVER="$OPTARG" ;;
h) usage; exit 0 ;;
\?) error "Invalid option: -$OPTARG"; usage; exit 1 ;;
esac
done
# Check if running as root
if [ "$EUID" -ne 0 ]; then
error "This script must be run as root"
exit 1
fi
# Detect distribution
detect_distro() {
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
PKG_UPDATE="apt update && apt upgrade -y"
BUILD_DEPS="build-essential gcc make wget curl zlib1g-dev libpcre2-dev libevent-dev libssl-dev"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf update -y"
BUILD_DEPS="gcc make wget curl zlib-devel pcre2-devel libevent-devel openssl-devel"
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
PKG_UPDATE="yum update -y"
BUILD_DEPS="gcc make wget curl zlib-devel pcre2-devel libevent-devel openssl-devel"
;;
*)
error "Unsupported distribution: $ID"
exit 1
;;
esac
else
error "Cannot detect distribution. /etc/os-release not found."
exit 1
fi
}
# Update system packages
update_system() {
log "[1/8] Updating system packages..."
$PKG_UPDATE
log "System packages updated successfully"
}
# Install dependencies
install_dependencies() {
log "[2/8] Installing OSSEC dependencies..."
$PKG_INSTALL $BUILD_DEPS
log "Dependencies installed successfully"
}
# Download and extract OSSEC
download_ossec() {
log "[3/8] Downloading OSSEC ${OSSEC_VERSION}..."
cd /opt
wget -O ${OSSEC_VERSION}.tar.gz "https://github.com/ossec/ossec-hids/archive/${OSSEC_VERSION}.tar.gz"
tar -xzf ${OSSEC_VERSION}.tar.gz
chown -R root:root ossec-hids-${OSSEC_VERSION}
log "OSSEC downloaded and extracted successfully"
}
# Install OSSEC with automated responses
install_ossec() {
log "[4/8] Installing OSSEC..."
cd /opt/ossec-hids-${OSSEC_VERSION}
# Create automated install configuration
cat > preloaded-vars.conf << EOF
USER_LANGUAGE="en"
USER_NO_STOP="y"
USER_INSTALL_TYPE="local"
USER_DIR="${OSSEC_DIR}"
USER_DELETE_DIR="y"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_UPDATE="n"
USER_AGENT_SERVER_IP=""
USER_ENABLE_EMAIL="y"
USER_EMAIL_ADDRESS="${EMAIL}"
USER_EMAIL_SMTP="${SMTP_SERVER}"
USER_ENABLE_FIREWALL_RESPONSE="y"
USER_WHITE_LIST=""
USER_CA_STORE="/etc/ssl/certs/ca-certificates.crt"
EOF
./install.sh
log "OSSEC installed successfully"
}
# Configure OSSEC for Splunk integration
configure_ossec() {
log "[5/8] Configuring OSSEC for Splunk integration..."
# Backup original configuration
cp "${OSSEC_DIR}/etc/ossec.conf" "${OSSEC_DIR}/etc/ossec.conf.backup"
# Create new configuration with JSON output
cat > "${OSSEC_DIR}/etc/ossec.conf" << EOF
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>${SMTP_SERVER}</smtp_server>
<email_from>ossec@$(hostname)</email_from>
<email_to>${EMAIL}</email_to>
<white_list>127.0.0.1</white_list>
<white_list>::1</white_list>
<white_list>localhost.localdomain</white_list>
<white_list>$(hostname)</white_list>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<disabled>no</disabled>
<frequency>79200</frequency>
<scan_on_start>yes</scan_on_start>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<active-response>
<disabled>no</disabled>
<ca_store>/etc/ssl/certs/ca-certificates.crt</ca_store>
</active-response>
</ossec_config>
EOF
# Set proper permissions
chmod 640 "${OSSEC_DIR}/etc/ossec.conf"
chown root:${OSSEC_GROUP} "${OSSEC_DIR}/etc/ossec.conf"
log "OSSEC configuration updated for Splunk integration"
}
# Configure systemd service
configure_service() {
log "[6/8] Configuring OSSEC systemd service..."
cat > /etc/systemd/system/ossec.service << EOF
[Unit]
Description=OSSEC HIDS
After=network.target
[Service]
Type=simple
User=root
Group=root
ExecStart=${OSSEC_DIR}/bin/ossec-control start
ExecStop=${OSSEC_DIR}/bin/ossec-control stop
ExecReload=${OSSEC_DIR}/bin/ossec-control restart
PIDFile=${OSSEC_DIR}/var/run/.daemon_pid
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable ossec
log "OSSEC service configured and enabled"
}
# Start services
start_services() {
log "[7/8] Starting OSSEC service..."
systemctl start ossec
sleep 5
log "OSSEC service started successfully"
}
# Verify installation
verify_installation() {
log "[8/8] Verifying OSSEC installation..."
# Check if service is running
if systemctl is-active --quiet ossec; then
log "✓ OSSEC service is running"
else
error "✗ OSSEC service is not running"
return 1
fi
# Check if JSON logs are being generated
if [ -f "${OSSEC_DIR}/logs/alerts/alerts.json" ]; then
log "✓ JSON alerts file exists"
else
warn "JSON alerts file not yet created (this is normal for new installations)"
fi
# Check if OSSEC directories exist and have proper permissions
if [ -d "${OSSEC_DIR}" ] && [ -O "${OSSEC_DIR}" ]; then
log "✓ OSSEC directory structure is correct"
else
error "✗ OSSEC directory structure issue"
return 1
fi
log "OSSEC installation verification completed successfully"
}
# Main installation function
main() {
log "Starting OSSEC-SplunkReview the script before running. Execute with: bash install.sh