OSSEC: How to Install OSSEC Agent and Server on Linux

Each distro needs different packages to compile the code there are pre-made binaries available,

Build Dependencies

Each distro needs different packages to compile the code Install the appropriate packages for you distro. I’ll update them as I discover them

Ubuntu 16-18

apt install -y unzip build-essential zlib1g-dev libsqlite3-dev libpcre2-dev wget unzip make gcc php php-cli php-common libapache2-mod-php apache2-utils sendmail inotify-tools libevent-dev libssl-dev

Arch Linux

Pacman -Sy unzip base-devel
yay -S sendmail
(still a work in progress)

Compiling

To get started, we need to get the latest version of the source from the github releases page. At the time of writing this, version 3.6 is the latest

wget https://codeload.github.com/ossec/ossec-hids/zip/3.6.0

Next, we can extract the zip and start the installer. This both installs the package and compiles it.

unzip 3.6.0
cd ossec-hids-3.6.0
sudo ./install.sh

For my setup, I’ll be doing a hybrid install. This option installs both the server and the client. If you only want the agent, select the agent. Fill out the options according to your needs and wants.

Agent Setup

Running

After you are done installing, run the following as root:

/var/ossec/bin/ossec-control start

If you are hosting the server, you can check if it is running by running the following

netstat -tulpn

This will show and output of all the listening ports if you see port 1514/udp or 1515/tcp active it is working. example output:

udp6     0     0     :::1514    :::*     30108/ossec-remoted
tcp6     0     0     :::1515    :::*     30108/ossec-remoted

As you can see, the server is running. Now all you need to do is create a firewall rule for it. See FIREWALL ARTICLE on how to do it

To see what agents are connected, login to the server and run:

/var/ossec/bin/Agent_control -lc