How to Install OSSEC Server-Client on Ubuntu - Part 1

In this article our focus is OSSEC  which is an Open Source Host-based Intrusion Detection System (HIDS). It can be installed on Linux,Windows and MacOS. In this article, we will install OSSEC and web interface on Ubuntu distribution.  In our case, client and server of OSSEC will be linux machine. We assume that mysql and php related packages are already installed. It provides following features.

  • Performs log analysis
  • File integrity checking
  • Policy monitoring
  • Rootkit detection
  • Real-time alerting and
  • Active response.

OSSEC Installation

OSSEC tool can be download from the OSSEC web site which is shown in the figure. Downloaded compress file can be used as a server and client of OSSEC. Server/client mode selected during installation process.

download ossec package

Now extract the *.tar.gz file with following command and go inside which is shown below.

#tar -xf ossec-hids-2.8.1.tar.gz
Extract the compressed file

Run the ./ script in the terminal which will prompt for following options.

install script

OSSEC Server side installation

First of all, we will install OSSEC tool in server mode.Select language from prompt shown in the following figure. This window will be same in all installation mode of OSSEC.

select Language

Following window appears which shows the system detail, terminal user and hostname. Press enter to start installation process.

installation prompt

It shows following installation modes/types of OSSEC on the machine.

select installation type

1. Server

It is the central piece of the OSSEC deployment which interact with agents / client. Server stores the  databases for file integrity checking , events, the logs and system auditing entries. It also stores rules, decoders, and major configuration options. It makes easy  administrative of  large number of agents.

2. Agent

In this mode, OSSEC agent sent events,logs, audit entries to Server/Manager..

3. Local mode

Local mode installation is similar as server /agent installation , except that the server is configured to listen for communication from the agents.

4. Hybrid

In this mode, same host act as a server and client/agent.

Server Mode

In this article , we will install client/server modes of OSSEC. This machine ( will be the manager or server and OSSEC agent will be on machine.

1. Select  server mode from the given installation types as shown in the following window.

Server Mode

2. Select installation directory for OSSEC HIDS . By default, installation path is /var/ossec.

Installation Path

3. OSSEC provides notification via email which is an important feature. Next option is for the setting of email and smtp address.

Email and SMTP setting

4. OSSEC  has syscheck component performs the  periodic integrity checking of any configured file (such as /etc/password on linux ) or any registry entry on Windows platform. Integrity checking is an importantpart of HIDS which detects changes  on the system. OSSEC calculates the  hash (MD5/SHA1) of the key files in the system and on the Windows registry. Agent running on the machine, periodically scans the complete system and send all the hashes to the central OSSEC. The server stores them and continuously watch  for any modifications on them.

integrity check

5. OSSEC  provides the feature for rootkit detection using Rootcheck which is an open source tool for rootkit detection and system auditing . Rootcheck tool scans the whole system and detects  presence of  known/unknown rootkits. In addition to that, it  detects kernel level rootkits and  checks system configuration for insecure options.

root kit

6. Active Response feature within OSSEC can run applications on an agent or server in response to triggers such as  specific alerts, alert levels.  This feature helps to block log in attempts on machine through SSH using iptables.

active responses

7. Using this feature OSSEC server sends the OSSEC alerts (sent by Agents) to centralized SYSLOG server like Alienvault. As shown in the figure, OSSEC will send auth.log,syslog,dpkg and apache logs to SYSLOG server.


8. After above setting, OSSEC prompts for start installation by pressing "ENTER" button which is shown below.

installation start

9. Before installation complete, it shows few information  such has the OS detail, starting/stoping OSSEC scripts and the path of OSSEC configuration file.

Before final step

10. Pressing "ENTER" will finish the OSSEC installation as a Server.  It is shown in the following figure that agents can be added/remove using 'manage_agents utility.

finish installation

 OSSEC Client Side installation

Now we will install OSSEC client mode installation on an agent for  integrity and root kit detection.

1. Select agent mode while OSSEC installation on  server machines and end hosts.

Agent installation mode

2. Set the configuration path (/var/ossec is by default)


3. Enter the IP address of the OSSEC server/manager (

ossec server ip

4. Enable Integrity check feature of OSSEC in client mode.


5. Enable the rootkit detection and active response features

active response

6. Press "Enter" button to start installation process .

start installation

7. Following window shows the start/stop scripts and configuration path for OSSEC. Press "Enter" button to complete the installation process.

before final installation


In this part of  article we have installed the open source HIDS tool, OSSEC on Ubuntu platform .  In next second part of article we will configure OSSEC for  windows and linux based clients (addition/listing/deletion of client, fetching Keys from server etc). OSSEC clients need keys generated by the OSSEC server. In the end , we will monitor OSSEC client/server from the web interface.

Leave a Comment