The best installation tutorial is available in the OSSEC book.
Installation of the OSSEC HIDS is very simple. Just follow these few steps to have it working. Please make sure that you understand the type of installation you are choosing (manager, agent, local, or hybrid) and are also aware of the order (always install the manager first). If you don’t know what I’m talking about, it’s a good idea to visit the install types page.
Remember that when following this installation the commands only start after the # Everything before that is just the information about the prompt
If you have experience with Unix, just download the latest version, uncompress it and run the ”./install.sh” script.
Download the latest version and verify its checksum.
On some systems, the command md5, sha1 or wget may not exist, so try md5sum, sha1sum or lynx respectively instead.# wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz # wget http://www.ossec.net/files/ossec-hids-2.6_checksum.txt # cat ossec-hids-2.6_checksum.txt MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e MD5 (ossec-agent-win32-2.6.exe) = 7d2392459aeab7490f28a10bba07d8b5 SHA1 (ossec-agent-win32-2.6.exe) = fdb5225ac0ef631d10e5110c1c1a8aa473e62ab4 # md5sum ossec-hids-2.6.tar.gz MD5 (ossec-hids-2.6.tar.gz) = f4140ecf25724b8e6bdcaceaf735138a # sha1sum ossec-hids-2.6.tar.gz SHA1 (ossec-hids-2.6.tar.gz) = 258b9a24936e6b61e0478b638e8a3bfd3882d91e
Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).
# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf) # cd ossec-hids-* # ./install.sh
Remember to open port 1514 (UDP) if there is a firewall between the server and the agents (not applicable to the local installation type).
If you are installing the server or the agent, remember to follow the Managing the agents section.
Start OSSEC HIDS
# /var/ossec/bin/ossec-control start
Agentless installation has its own page at: Agentless Monitoring.
On systems that do not have a C compiler or one is not allowed by policy installation can be done using Binary Installation
Updating OSSEC is as easy as it can get. Just download the latest package and follow the installation instructions as usual. It will detect that you already have it installed and ask:
- You already have OSSEC installed. Do you want to update it? (y/n): y - Do you want to update the rules? (y/n): y
Just say “yes” to these questions and it will update everything properly. Your local rules and configuration options will not be modified. The same applies to the Unix or Windows agent updates.