Project

General

Profile

Back to 3rd Party Agents Installation

Installing OSSEC

This section explains how to install OSSEC, including Prelude support, from the tarball available from the main website. However, OSSEC might be included with your distribution as a package and it would be easier to install it this way.

Get the sources

Prelude support is included in the OSSEC since release 1.4. Download OSSEC from http://www.ossec.net/main/downloads/

First you need to install libprelude-dev :
Debian :

# aptitude install libprelude-dev

CentOS :
# yum -f install libprelude-dev

Then, compile and install OSSEC using the following:

$ cd ossec-hids-xx
$ cd src; make setprelude; cd ..
# ./install.sh 

Choose "server" installation.

Configuration

Once installed, OSSEC must have its configuration ready to log to Prelude. Edit /var/ossec/etc/ossec.conf:

<ossec_config>

  [...]

  <global>
    <prelude_output>yes</prelude_output>
    <prelude_profile>ossec</prelude_profile>
    <prelude_log_level>0</prelude_log_level>
  </global>
</ossec_config>

Registering OSSEC profile

The OSSEC analyzer runs as ossec user. In our configuration, this user/group has uid/gid set to 1007. Please change this value according to your configuration. To register it, please run:

prelude-admin register ossec "idmef:w" localhost --uid 1007 --gid 1007 

and follow the instructions. If the registration is successful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.

Running OSSEC

Before running OSSEC, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.

/var/ossec/bin/ossec-control start

See the OSSEC manual pages and documentation for more options.

Links

For intructions on the OSSEC wiki, you can visit http://www.ossec.net/doc/manual/output/prelude-output.html

Back to 3rd Party Agents Installation