Install OSSEC for system integrity check on Linux and Windows

Jephe Wu -

Objective: use ossec hids to monitor system file changes realtime
Environment: CentOS 5, RHEL 5, Windows 2003 server


1. Download ossec from
2. Install it on centralized monitoring server first(choose 'server' when installing ossec), this server can be rsyslog and nagios server too.
3. Install ossec on Linux server as agent or Windows server
4. Some commonds for managing agent authentication, stop/start service and realtime monitoring

a. on ossec server, run '/var/ossec/bin/manage_agents' to manage/extract keys for agents
b. on ossec agent, run '/var/ossec/bin/manage_agents' to import key from the server
c. run '/var/ossec/bin/ossec-control stop' or '/var/ossec/bin/ossec-control start' to stop/start services

d. realtime syscheck monitoring: (only works with directories, not individual files, so you can monitor /etc or c:\program files directory, not /etc/file.txt)
check this page:

The configuration is very simple. In the option where you specify what files or directories to monitor, you just need to add the realtime=”yes” attribute before check_all="yes".

e. configuration and log files are under /var/ossec/ and c:\program files\ossec

5. when you try to enable clients which are sitting on the different network, you need to enable udp 1514 port, because the netstat is showing the ossec-remoted is listening on udp 1514 port:

udp        0      0      *                               14974/ossec-remoted

so , please enable firewall from agent to server at udp port 1514.


a. When using with Nagios monitoring, the active-response feature on Linux might prevent Nagios from working properly as it will dynamically add ip blocking rules to iptables:
to disable active response,add this:

less than active-response greater then
less than disabled greater than yes less than /disabled greater than
less than active-response greater then
to /var/ossec/etc/ossec.conf  
c. OSSEC Wiki at 

6. FAQ 
a. Why does ossec send me so many emails?
b. You can configure strftime format in /var/ossec/etc/ossec.conf so that
ossec can monitor variable log file like this:


So after midnight, it will start to monitor new log file at the different path.