I’m setting up CentOS 6.7 64bit server and I’d like to install local ossec. Also, I have been trying to find RPM’s local installation doc. But, most of tutorials I found from Google is to intall from source with server<->agent setup. So, I write this article for one who wants to install OSSEC locally via RPM.
First off, add yum atomic repository
wget -q -O – https://www.atomicorp.com/installers/atomic | sh
Then, install both ossec-hids and ossec-hids-server packages:
yum install ossec-hids ossec-hids-server
Before start configuring, let’s just test an email sending to see if it works:
mail -s "OSSEC test" firstname.lastname@example.org < /dev/null
In case sending email works fine, we can start configuring local install with
ossec-configure like so:
Here is how I proceed:
OSSEC Configuration utility v0.1 1- What kind of installation do you want? (server, agent, local) [Default: server]: local 2- Setting up the configuration environment. 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [Default: y]: - What's your e-mail address? <your_email_address> - What's your SMTP server ip/host? localhost 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: n 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: -- /var/log/messages (syslog) -- /var/log/secure (syslog) -- /var/log/maillog (syslog) Configuration complete.
Then, just restart ossec:
To make sure the email alert works as expected, you could try to send the bad message to syslog:
If your server email transfer agent or your SMTP works correctly, you should get the similar email in your inbox:
Subject: OSSEC Notification - localhost - Alert level 2 OSSEC HIDS Notification. 2015 Dec 14 20:21:43 Received From: localhost->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Dec 14 20:21:42 localhost root: bad --END OF NOTIFICATION
Additionally, in order to notify to multiple email addresses,
We can do that by specifing each email address with
email_to tag in
/var/ossec/etc/ossec.conf configuration file.
<email_to>email@example.com</email_to> <email_to>firstname.lastname@example.org</email_to> <email_to>email@example.com</email_to>
Hope this helps!