How to Configure OSSEC on Ubuntu - Part 2

In our previous article we explained the installation of OSSEC on Ubuntu platform. In this part, first we will configure both client and server of OSSEC for rootkit detection, integrity checking and auditing features. Then we will integrate database with OSSEC and web interface for better analysis of logs and alerts.

OSSEC Server Configuration

After successful installation of  OSSEC server, following output appears in the terminal. It is shown in the figure that  manage_agents is the tool/utility for the management of agents (connect OSSEC agents with server or manager)

Agetns management

Using manage_agents tool, following operations can be performed which are shown in below figure.

Adding new Agent

1) Add an agent
2) Extract key for an agent
3) List already added agents
4) Remove an agent

Enter "A" to add new agent of OSSEC.   Following information required to enter for new agent.

  • Name of Agent (ubuntu_machine)
  • IP address (
  • ID of agent (001)

Using List(L) option, we can list already added agents of OSSEC. It is shown in the following figure

Listing of agents

OSSEC agent can not communicate with OSSEC server until we import key provided by the server. Enter "E"  option for extraction of keys for OSSEC agent from OSSEC server.   Extract key option display available agents with ID, IP and host name details.

It is shown in the following figure that we have extracted Key for agent ID 001.

Key for OSSEC agent

Next step is to import the key on the OSSEC agent so that both can communicate each other.  In the next section we explained the key importing process for OSSEC agent.

Agents setting on OPEC Client

manage_agent utility

Like OSSEC server, OSSEC client uses the same "mange_agents" utility for importing key generated at  server/manager.

It is mention in the above figure that

  • First we have to add agent in the server so that both can communicate with each other.
  • Import authentication key on agent provided by the OSSEC server.

When we run /var/ossec/bin/manage_agents on the OSSEC client, It will prompt  option that press "I" to import key from the server. We can import  agent keys by just cut and paste. In the following figure, we copied key from the OSSEC server and paste it on OSSEC client.

On Pressing "Enter", agent information (ID, Name and IP address) will be shown in the same window. If  the information is correct then enter "y" to add the key on Client end.

Importing Agent keys

Logs and Alerts on OSSEC Server

Command line interface (CLI)

OSSEC server store logs and alerts under /var/ossec/logs/ directory. Here we can see alerts generated by the OSSEC client on ubuntu machine(


It is shown in the following figure that SSH wrong password attempts on Ubuntu machine (


Web Interface

Instead of command line view of logs and alerts, OSSEC support web interfaces for better understanding of logs/alerts generated by the agents.  OSSEC web interface is dependent on database and mainly it uses mysql.  Therefor install mysql-server, mysql-client and libmysqlclient-dev packages. Along mysql packages, also install php packages which is required by mysql.

Database and web interface Integration

1. Install  mysql server,client and mysql development library packages.


Otherwise following error will prompt when  run make setdb command in OSSEC source code.

db error

2. Recompile the OSSEC on the server end and don't change the earlier configuration of OSSEC server.

set DB command

3. After successful installation of OSSEC with mysql database, next is the creation of new database and grant permission on it. It is shown in the following figure.


root@test-VirtualBox:/var/www# mysql -u root -p
Enter password:
mysql> create database ossec;
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec_u;
Query OK, 0 rows affected (0.27 sec)
mysql> set password for ossec_u=PASSWORD('password');
Query OK, 0 rows affected (0.07 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.06 sec)

4. Import the database schema (mysql.schema) which is given in the OSSEC source.

import mysql schema

5. Change the database related setting in the ossec.conf file  (/var/ossec/etc/ossec.conf) which is given in the following snapshot

6. To apply the above changes, run following ossec commands to enable database with OSSEC

ossec restart

7. After the successful integration of mysql with OSSEC, now we will download OSSEC web interface and change its permission. Download it from OSSEC website, extract it and move under /var/www/ directory of Apache web server. (/var/www is the root directory for Apache)

ossec web interface

Also change the permission of /var/ossec directory otherwise web interface will produce "unable to access ossec directory" error.

change permission

After changing the permission of necessary directories, type localhost/ossec in the browser. It will show  window like given below.

ossec web interface


In this part of the article, we learned integration of OSSEC with mysql database so that alerts/logs stored for better analysis. Alerts generated by the OSSEC can be view on CLI and web interface. Therefore we  integrated web interface with the OSSEC server installation for better analysis of alerts and managements of OSSEC clients.

Leave a Comment