This section explains how to install OSSEC, including Prelude support, from the tarball available from the main website. However, OSSEC might be included with your distribution as a package and it would be easier to install it this way.
Get the sources¶
Prelude support is included in the OSSEC since release 1.4. Download OSSEC from http://www.ossec.net/main/downloads/
First you need to install libprelude-dev :
# aptitude install libprelude-dev
# yum -f install libprelude-dev
Then, compile and install OSSEC using the following:
$ cd ossec-hids-xx $ cd src; make setprelude; cd .. # ./install.sh
Choose "server" installation.
Once installed, OSSEC must have its configuration ready to log to Prelude. Edit /var/ossec/etc/ossec.conf:
<ossec_config> [...] <global> <prelude_output>yes</prelude_output> <prelude_profile>ossec</prelude_profile> <prelude_log_level>0</prelude_log_level> </global> </ossec_config>
Registering OSSEC profile¶
The OSSEC analyzer runs as ossec user. In our configuration, this user/group has uid/gid set to 1007. Please change this value according to your configuration. To register it, please run:
prelude-admin register ossec "idmef:w" localhost --uid 1007 --gid 1007
and follow the instructions. If the registration is successful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.
Before running OSSEC, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.
See the OSSEC manual pages and documentation for more options.
For intructions on the OSSEC wiki, you can visit http://www.ossec.net/doc/manual/output/prelude-output.html