Deploy and manage OSSEC Host-based Intrusion Detection System (HIDS) across multiple servers with centralized monitoring, automated agent configuration, and real-time security event processing for enterprise-scale infrastructure protection.
Prerequisites
- Root or sudo access on all target servers
- Network connectivity between OSSEC server and agents
- SSH key authentication configured
- Email server for alert notifications
- Firewall configured to allow UDP port 1514
What this solves
OSSEC provides real-time security monitoring, log analysis, and intrusion detection across distributed infrastructure. This tutorial establishes a centralized OSSEC server that manages multiple agents, automates deployment processes, and provides unified security monitoring for your entire server fleet.
Step-by-step installation
Update system packages and install dependencies
Update your package manager and install required build dependencies for OSSEC compilation.
sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wgetDownload and extract OSSEC source
Download the latest OSSEC release and extract it to prepare for installation.
cd /tmp
wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0Install OSSEC server
Run the installation script with server configuration to enable centralized management capabilities.
sudo ./install.shDuring installation, select these options:
- Installation type: server
- Installation directory: /var/ossec (default)
- Email notification: y and provide admin email
- SMTP server: provide your mail server or localhost
- Enable firewall response: y
- Enable system integrity check: y
- Enable rootkit detection: y
- Enable active response: y
Configure OSSEC server settings
Customize the main OSSEC configuration for centralized management and security monitoring.
yes
localhost
ossec@example.com
admin@example.com
10
127.0.0.1
192.168.1.0/24
rules_config.xml
pam_rules.xml
sshd_rules.xml
telnetd_rules.xml
syslog_rules.xml
arpwatch_rules.xml
symantec-av_rules.xml
symantec-ws_rules.xml
pix_rules.xml
named_rules.xml
smbd_rules.xml
vsftpd_rules.xml
pure-ftpd_rules.xml
proftpd_rules.xml
ms_ftpd_rules.xml
ftpd_rules.xml
hordeimp_rules.xml
roundcube_rules.xml
wordpress_rules.xml
cimserver_rules.xml
vpopmail_rules.xml
vmpop3d_rules.xml
courier_rules.xml
web_rules.xml
web_appsec_rules.xml
apache_rules.xml
nginx_rules.xml
php_rules.xml
mysql_rules.xml
postgresql_rules.xml
ids_rules.xml
squid_rules.xml
firewall_rules.xml
cisco-ios_rules.xml
netscreenfw_rules.xml
sonicwall_rules.xml
postfix_rules.xml
sendmail_rules.xml
imapd_rules.xml
mailscanner_rules.xml
dovecot_rules.xml
ms-exchange_rules.xml
racoon_rules.xml
vpn_concentrator_rules.xml
spamd_rules.xml
msauth_rules.xml
mcafee_av_rules.xml
trend-osce_rules.xml
ms-se_rules.xml
zeus_rules.xml
solaris_bsm_rules.xml
vmware_rules.xml
ms_dhcp_rules.xml
asterisk_rules.xml
ossec_rules.xml
attack_rules.xml
local_rules.xml
7200
/etc,/usr/bin,/usr/sbin
/bin,/sbin
/etc/mtab
/etc/hosts.deny
/etc/mail/statistics
/etc/random-seed
/etc/adjtime
/etc/httpd/logs
no
yes
yes
yes
yes
yes
yes
yes
yes
7200
secure
1514
udp
192.168.1.0/24
1
7
host-deny
host-deny.sh
srcip
yes
firewall-drop
firewall-drop.sh
srcip
yes
no
host-deny
local
5720
600
no
firewall-drop
local
5720
600
syslog
/var/log/messages
syslog
/var/log/secure
syslog
/var/log/maillog
apache
/var/log/httpd/access_log
apache
/var/log/httpd/error_log
Configure firewall for OSSEC communication
Open the required port for agent-server communication and configure firewall rules.
sudo ufw allow 1514/udp comment "OSSEC agent communication"
sudo ufw reloadStart and enable OSSEC server
Start the OSSEC server and configure it to start automatically on boot.
sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossecCreate agent deployment automation script
Create a script to automate OSSEC agent installation and key management across multiple hosts.
#!/bin/bash
OSSEC Agent Deployment Script
Usage: ./deploy-ossec-agent.sh
set -euo pipefail
Configuration
OSSEC_SERVER="203.0.113.10" # Replace with your OSSEC server IP
OSSEC_VERSION="3.7.0"
SSH_KEY="/root/.ssh/id_rsa" # Path to SSH private key
Validate arguments
if [ $# -ne 3 ]; then
echo "Usage: $0 "
echo "Example: $0 web01 203.0.113.20 root"
exit 1
fi
AGENT_NAME="$1"
AGENT_IP="$2"
SSH_USER="$3"
echo "[INFO] Deploying OSSEC agent to $AGENT_NAME ($AGENT_IP)"
Step 1: Generate agent key on server
echo "[INFO] Generating agent key on OSSEC server"
sudo /var/ossec/bin/manage_agents -a "$AGENT_NAME" "$AGENT_IP" "$(openssl rand -hex 32)" -f
Extract the generated key
AGENT_KEY=$(sudo /var/ossec/bin/manage_agents -e "$AGENT_NAME")
if [ -z "$AGENT_KEY" ]; then
echo "[ERROR] Failed to generate or extract agent key"
exit 1
fi
echo "[INFO] Generated key for agent $AGENT_NAME"
Step 2: Deploy agent installation script
cat > /tmp/install-ossec-agent.sh << 'AGENT_SCRIPT'
#!/bin/bash
set -euo pipefail
Detect distribution
if command -v apt-get >/dev/null 2>&1; then
DISTRO="debian"
sudo apt update
sudo apt install -y build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget
elif command -v dnf >/dev/null 2>&1; then
DISTRO="rhel"
sudo dnf update -y
sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y libevent-devel zlib-devel openssl-devel pcre2-devel wget
else
echo "[ERROR] Unsupported distribution"
exit 1
fi
Download and compile OSSEC agent
cd /tmp
wget -q https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0
Automated installation responses
cat > /tmp/ossec-answers << EOF
en
agent
/var/ossec
SERVER_IP_PLACEHOLDER
y
y
y
y
EOF
Install OSSEC agent
sudo ./install.sh < /tmp/ossec-answers
Import agent key
echo "KEY_PLACEHOLDER" | sudo /var/ossec/bin/manage_agents -i
Configure agent
sudo sed -i "s|.* |SERVER_IP_PLACEHOLDER |" /var/ossec/etc/ossec.conf
Start OSSEC agent
sudo /var/ossec/bin/ossec-control start
Enable on boot
if [ "$DISTRO" = "debian" ]; then
sudo systemctl enable ossec || true
else
sudo chkconfig ossec on || true
fi
echo "[INFO] OSSEC agent installation completed"
AGENT_SCRIPT
Replace placeholders in script
sed -i "s|SERVER_IP_PLACEHOLDER|$OSSEC_SERVER|g" /tmp/install-ossec-agent.sh
sed -i "s|KEY_PLACEHOLDER|$AGENT_KEY|g" /tmp/install-ossec-agent.sh
Step 3: Copy and execute installation script on remote host
echo "[INFO] Copying installation script to $AGENT_IP"
scp -i "$SSH_KEY" -o StrictHostKeyChecking=no /tmp/install-ossec-agent.sh "$SSH_USER@$AGENT_IP:/tmp/"
echo "[INFO] Executing installation on remote host"
ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "$SSH_USER@$AGENT_IP" "chmod +x /tmp/install-ossec-agent.sh && /tmp/install-ossec-agent.sh"
Step 4: Verify agent connection
echo "[INFO] Waiting for agent connection..."
sleep 10
if sudo /var/ossec/bin/list_agents | grep -q "$AGENT_NAME"; then
echo "[SUCCESS] Agent $AGENT_NAME deployed and connected successfully"
# Restart OSSEC server to recognize new agent
sudo /var/ossec/bin/ossec-control restart
echo "[INFO] OSSEC server restarted to recognize new agent"
else
echo "[WARNING] Agent may not be connected yet. Check logs with: sudo tail -f /var/ossec/logs/ossec.log"
fi
Cleanup
rm -f /tmp/install-ossec-agent.sh
echo "[INFO] Deployment completed for agent $AGENT_NAME" Make deployment script executable and configure SSH
Set proper permissions for the deployment script and configure SSH key authentication.
sudo chmod 755 /usr/local/bin/deploy-ossec-agent.sh
Generate SSH key if not exists
if [ ! -f /root/.ssh/id_rsa ]; then
sudo ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N ""
fi
Display public key for distribution to target hosts
echo "Copy this public key to target servers:"
sudo cat /root/.ssh/id_rsa.pubNote: Copy the displayed SSH public key to the
~/.ssh/authorized_keys file on each target server you want to deploy agents to.Create centralized management script
Create a script to manage multiple agents from the central server.
#!/bin/bash
OSSEC Agent Management Script
Usage: ./manage-ossec-agents.sh [agent_name]
Actions: list, status, restart-all, remove
set -euo pipefail
ACTION="${1:-}"
AGENT_NAME="${2:-}"
case "$ACTION" in
"list")
echo "=== Active OSSEC Agents ==="
sudo /var/ossec/bin/list_agents
;;
"status")
echo "=== OSSEC Server Status ==="
sudo /var/ossec/bin/ossec-control status
echo ""
echo "=== Recent Alerts ==="
sudo tail -n 20 /var/ossec/logs/alerts/alerts.log
;;
"restart-all")
echo "[INFO] Restarting OSSEC server"
sudo /var/ossec/bin/ossec-control restart
echo "[INFO] OSSEC server restarted"
;;
"remove")
if [ -z "$AGENT_NAME" ]; then
echo "Usage: $0 remove "
exit 1
fi
echo "[INFO] Removing agent: $AGENT_NAME"
echo "$AGENT_NAME" | sudo /var/ossec/bin/manage_agents -r
sudo /var/ossec/bin/ossec-control restart
echo "[INFO] Agent $AGENT_NAME removed and server restarted"
;;
"logs")
echo "=== OSSEC Server Logs ==="
sudo tail -f /var/ossec/logs/ossec.log
;;
"stats")
echo "=== OSSEC Statistics ==="
echo "Active agents: $(sudo /var/ossec/bin/list_agents | grep -c 'is available')"
echo "Total alerts today: $(sudo grep $(date +"%Y %b %d") /var/ossec/logs/alerts/alerts.log | wc -l)"
echo "Server uptime: $(sudo /var/ossec/bin/ossec-control status | grep 'is running' | wc -l) processes running"
;;
*)
echo "OSSEC Agent Management"
echo "Usage: $0 [agent_name]"
echo ""
echo "Actions:"
echo " list - List all registered agents"
echo " status - Show server status and recent alerts"
echo " restart-all - Restart OSSEC server"
echo " remove - Remove an agent"
echo " logs - Follow server logs (Ctrl+C to exit)"
echo " stats - Show server statistics"
echo ""
echo "Examples:"
echo " $0 list"
echo " $0 status"
echo " $0 remove web01"
;;
esac Make management script executable
Set proper permissions for the management script.
sudo chmod 755 /usr/local/bin/manage-ossec-agents.shDeploy agents to target servers
Use the deployment script to install agents on your target servers.
# Deploy to a web server
sudo /usr/local/bin/deploy-ossec-agent.sh web01 203.0.113.20 root
Deploy to a database server
sudo /usr/local/bin/deploy-ossec-agent.sh db01 203.0.113.21 root
Deploy to an application server
sudo /usr/local/bin/deploy-ossec-agent.sh app01 203.0.113.22 ubuntuConfigure log monitoring and alerting
Enhance the OSSEC configuration to monitor additional log sources and configure custom alerting rules.
syslog,sshd,
Failed password
5
300
SSH brute force attack detected.
web,apache,
404
20
120
High number of 404 errors detected.
mysql,postgresql,
connection refused|Access denied
10
600
Database connection issues detected.
syslog,
ERROR|CRITICAL|FATAL
Application error detected in logs.
Configure email alerting
Set up email notifications for critical security events.
security@example.com
7
5720,100001,100002
full
admin@example.com
10
sms
Add this configuration within the main ossec_config block and restart OSSEC.
sudo /var/ossec/bin/ossec-control restartVerify your setup
Confirm that your OSSEC server is running and agents are connected properly.
# Check OSSEC server status
sudo /var/ossec/bin/ossec-control status
List connected agents
sudo /usr/local/bin/manage-ossec-agents.sh list
View recent alerts
sudo tail -n 20 /var/ossec/logs/alerts/alerts.log
Check server statistics
sudo /usr/local/bin/manage-ossec-agents.sh stats
Test agent connectivity
sudo /var/ossec/bin/agent_control -lc
Monitor real-time alerts
sudo tail -f /var/ossec/logs/alerts/alerts.logConfigure advanced monitoring rules
Create custom monitoring profiles
Configure specific monitoring rules for different server types.
# Web server specific monitoring
apache
/var/log/apache2/access.log
apache
/var/log/apache2/error.log
apache
/var/log/nginx/access.log
apache
/var/log/nginx/error.log
Configure database server monitoring
Set up specialized monitoring for database servers.
# Database server specific monitoring
mysql_log
/var/log/mysql/error.log
postgresql_log
/var/log/postgresql/postgresql-*.log
/etc/mysql,/etc/postgresql
3600
Apply configurations to specific agents
Assign monitoring profiles to specific agents based on their roles.
# Copy web server profile to specific agent
sudo cp /var/ossec/etc/shared/web-servers.conf /var/ossec/etc/shared/web01.conf
Copy database profile to specific agent
sudo cp /var/ossec/etc/shared/db-servers.conf /var/ossec/etc/shared/db01.conf
Restart OSSEC to apply changes
sudo /var/ossec/bin/ossec-control restartCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| Agent not connecting | Firewall blocking port 1514 | sudo ufw allow 1514/udp or sudo firewall-cmd --add-port=1514/udp --permanent |
| Permission denied errors | Incorrect OSSEC file ownership | sudo chown -R ossec:ossec /var/ossec |
| No email alerts | SMTP server not configured | Configure valid SMTP settings in /var/ossec/etc/ossec.conf |
| High CPU usage | Too frequent integrity checks | Increase syscheck frequency to 21600 (6 hours) |
| Agent key import fails | Key format corruption | Regenerate agent key with manage_agents |
| Log parsing errors | Incorrect log format specified | Verify log format matches actual log structure |
| Active response not working | Scripts not executable | sudo chmod +x /var/ossec/active-response/bin/*.sh |
| Database full errors | Alert log rotation not configured | Configure log rotation in /etc/logrotate.d/ossec |
Next steps
- Set up intrusion detection with OSSEC HIDS and nftables integration for automated threat response - Integrate OSSEC with firewall automation
- Set up centralized logging with rsyslog and logrotate for security events - Enhance log management with centralized collection
- Integrate OSSEC with ELK stack for advanced security analytics - Combine OSSEC with Elasticsearch for enhanced threat analysis
- Configure OSSEC active response with Fail2ban integration - Automate threat blocking with coordinated security tools
- Set up OSSEC database output for compliance reporting - Configure database logging for audit and compliance requirements
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# OSSEC HIDS Server Installation Script
# Production-quality script for centralized security monitoring
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# Configuration
OSSEC_VERSION="3.7.0"
OSSEC_USER="ossec"
OSSEC_GROUP="ossec"
OSSEC_DIR="/var/ossec"
ADMIN_EMAIL=""
SMTP_SERVER="localhost"
ALLOWED_NETWORK=""
# Error handling and cleanup
cleanup() {
local exit_code=$?
if [ $exit_code -ne 0 ]; then
echo -e "${RED}[ERROR] Installation failed. Cleaning up...${NC}"
[ -d "/tmp/ossec-hids-${OSSEC_VERSION}" ] && rm -rf "/tmp/ossec-hids-${OSSEC_VERSION}"
[ -f "/tmp/${OSSEC_VERSION}.tar.gz" ] && rm -f "/tmp/${OSSEC_VERSION}.tar.gz"
systemctl stop ossec 2>/dev/null || true
fi
}
trap cleanup ERR EXIT
usage() {
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -e EMAIL Admin email address (required)"
echo " -s SERVER SMTP server (default: localhost)"
echo " -n NETWORK Allowed network CIDR (default: auto-detect)"
echo " -h Show this help"
exit 1
}
# Parse arguments
while getopts "e:s:n:h" opt; do
case $opt in
e) ADMIN_EMAIL="$OPTARG" ;;
s) SMTP_SERVER="$OPTARG" ;;
n) ALLOWED_NETWORK="$OPTARG" ;;
h) usage ;;
*) usage ;;
esac
done
[ -z "$ADMIN_EMAIL" ] && { echo -e "${RED}Error: Admin email is required${NC}"; usage; }
# Check prerequisites
if [ "$EUID" -ne 0 ]; then
echo -e "${RED}Error: This script must be run as root${NC}"
exit 1
fi
echo -e "${BLUE}OSSEC HIDS Server Installation${NC}"
echo "================================="
# Detect distribution
echo -e "${YELLOW}[1/10] Detecting distribution...${NC}"
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update && apt upgrade -y"
PKG_INSTALL="apt install -y"
FIREWALL_CMD="ufw"
BUILD_DEPS="build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
FIREWALL_CMD="firewall-cmd"
BUILD_DEPS="gcc make libevent-devel zlib-devel openssl-devel pcre2-devel wget"
if [ "$ID" = "centos" ] && [ "${VERSION_ID%%.*}" -lt 8 ]; then
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
BUILD_DEPS="gcc make libevent-devel zlib-devel openssl-devel pcre-devel wget"
fi
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
FIREWALL_CMD="firewall-cmd"
BUILD_DEPS="gcc make libevent-devel zlib-devel openssl-devel pcre-devel wget"
;;
*)
echo -e "${RED}Unsupported distribution: $ID${NC}"
exit 1
;;
esac
else
echo -e "${RED}Cannot detect distribution${NC}"
exit 1
fi
echo -e "${GREEN}Detected: $PRETTY_NAME${NC}"
# Auto-detect network if not specified
if [ -z "$ALLOWED_NETWORK" ]; then
echo -e "${YELLOW}[2/10] Auto-detecting network...${NC}"
DEFAULT_ROUTE=$(ip route | grep default | head -1 | awk '{print $3}')
if [ -n "$DEFAULT_ROUTE" ]; then
NETWORK_PREFIX=$(echo "$DEFAULT_ROUTE" | cut -d'.' -f1-3)
ALLOWED_NETWORK="${NETWORK_PREFIX}.0/24"
else
ALLOWED_NETWORK="192.168.1.0/24"
fi
echo -e "${GREEN}Using network: $ALLOWED_NETWORK${NC}"
fi
# Update system packages
echo -e "${YELLOW}[3/10] Updating system packages...${NC}"
$PKG_UPDATE
# Install build dependencies
echo -e "${YELLOW}[4/10] Installing build dependencies...${NC}"
if [ "$PKG_MGR" = "dnf" ] || [ "$PKG_MGR" = "yum" ]; then
if command -v dnf >/dev/null 2>&1; then
dnf groupinstall -y "Development Tools" 2>/dev/null || yum groupinstall -y "Development Tools"
else
yum groupinstall -y "Development Tools"
fi
fi
$PKG_INSTALL $BUILD_DEPS
# Download OSSEC source
echo -e "${YELLOW}[5/10] Downloading OSSEC source...${NC}"
cd /tmp
wget -q "https://github.com/ossec/ossec-hids/archive/${OSSEC_VERSION}.tar.gz"
tar -xzf "${OSSEC_VERSION}.tar.gz"
cd "ossec-hids-${OSSEC_VERSION}"
# Create installation response file
echo -e "${YELLOW}[6/10] Preparing installation configuration...${NC}"
cat > install_answers.txt << EOF
en
server
/var/ossec
y
${ADMIN_EMAIL}
${SMTP_SERVER}
y
y
y
y
EOF
# Install OSSEC
echo -e "${YELLOW}[7/10] Installing OSSEC server...${NC}"
./install.sh < install_answers.txt
# Configure OSSEC
echo -e "${YELLOW}[8/10] Configuring OSSEC server...${NC}"
cat > "${OSSEC_DIR}/etc/ossec.conf" << EOF
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>${SMTP_SERVER}</smtp_server>
<email_from>ossec@$(hostname)</email_from>
<email_to>${ADMIN_EMAIL}</email_to>
<email_maxperhour>10</email_maxperhour>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>web_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>firewall_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<frequency>7200</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
</syscheck>
<rootcheck>
<frequency>43200</frequency>
</rootcheck>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>udp</protocol>
<allowed-ips>${ALLOWED_NETWORK}</allowed-ips>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
</ossec_config>
EOF
# Set proper permissions
chown root:${OSSEC_GROUP} "${OSSEC_DIR}/etc/ossec.conf"
chmod 640 "${OSSEC_DIR}/etc/ossec.conf"
# Configure firewall
echo -e "${YELLOW}[9/10] Configuring firewall...${NC}"
case "$FIREWALL_CMD" in
ufw)
if command -v ufw >/dev/null 2>&1; then
ufw --force enable
ufw allow 1514/udp comment "OSSEC Agent Communication"
fi
;;
firewall-cmd)
if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active firewalld >/dev/null 2>&1; then
firewall-cmd --permanent --add-port=1514/udp
firewall-cmd --reload
fi
;;
esac
# Start and enable OSSEC service
echo -e "${YELLOW}[10/10] Starting OSSEC service...${NC}"
"${OSSEC_DIR}/bin/ossec-control" start
# Create systemd service
cat > /etc/systemd/system/ossec.service << EOF
[Unit]
Description=OSSEC Host Intrusion Detection System
After=network.target
[Service]
Type=forking
ExecStart=${OSSEC_DIR}/bin/ossec-control start
ExecStop=${OSSEC_DIR}/bin/ossec-control stop
ExecReload=${OSSEC_DIR}/bin/ossec-control restart
PIDFile=${OSSEC_DIR}/var/run/ossec-monitord.pid
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable ossec
systemctl start ossec
# Cleanup
cd /
rm -rf "/tmp/ossec-hids-${OSSEC_VERSION}" "/tmp/${OSSEC_VERSION}.tar.gz"
# Verification
echo -e "${BLUE}Verifying installation...${NC}"
sleep 5
if systemctl is-active ossec >/dev/null 2>&1; then
echo -e "${GREEN}✓ OSSEC service is running${NC}"
else
echo -e "${RED}✗ OSSEC service is not running${NC}"
exit 1
fi
if [ -f "${OSSEC_DIR}/logs/ossec.log" ]; then
echo -e "${GREEN}✓ OSSEC logging is active${NC}"
else
echo -e "${RED}✗ OSSEC logs not found${NC}"
fi
echo -e "${GREEN}"
echo "========================================="
echo "OSSEC HIDS Server Installation Complete"
echo "========================================="
echo -e "${NC}"
echo "Configuration:"
echo " - OSSEC Directory: ${OSSEC_DIR}"
echo " - Admin Email: ${ADMIN_EMAIL}"
echo " - SMTP Server: ${SMTP_SERVER}"
echo " - Allowed Network: ${ALLOWED_NETWORK}"
echo " - Listen Port: 1514/udp"
echo ""
echo "Management Commands:"
echo " - Start: systemctl start ossec"
echo " - Stop: systemctl stop ossec"
echo " - Status: systemctl status ossec"
echo " - Logs: tail -f ${OSSEC_DIR}/logs/ossec.log"
echo ""
echo "Add agents with: ${OSSEC_DIR}/bin/manage_agents"Review the script before running. Execute with: bash install.sh