Manual: Installation types

Manual -> Installation -> Installation types and order


1 – Overview

If you have one system to monitor, you can install the OSSEC HIDS locally on that box and do everything from there. However, if you are administering a few systems, you can select one to be your OSSEC server and the others to be OSSEC agents, forwarding events to the server for analysis. One of the greatest benefits of the OSSEC HIDS is its scalability, allowing you to monitor multiple systems from a central point.


2 – Understanding the installation “types”

Remember that the OSSEC HIDS is a Host-based IDS (Intrusion Detection System), so you need to install it on every system that you want to monitor. If you have only one machine, like a personal computer or a small server, you will be performing a “local” installation. This type of installation is simpler and customized for just one system. However, if you are administering some kind of network where you have at least a few systems to secure and monitor, you should NOT choose the “local” installation. The best option is to select one of your machines to be the OSSEC server and perform the “server” installation on it. Then, choose the “agent” installation for the others. With this approach, the OSSEC server will receive events from the “agents”, analyze and correlate them and if necessary, generate alerts. Everything from a centralized point. Your IDS and rootkit rules will be just in one box, making it much easier to administer and configure.


3 – Installation order

The “installation order” only matters if you are doing a server/agents installation. If you want a “local” installation, just ignore this part. If you don’t know what kind of installation to choose, read the information about it: Installation types. In the server/agents approach, you first need to install the server. On the server, you also need to authorize each agent that you want to send information/events/logs to it. The authorization step is really easy and you just need to run once for each agent. For more information look at Managing the agents.
After the server is done, you need to go to each machine that is going to be an “agent” and perform an “agent installation”. This installation is much simpler and basically will just want to know the IP address of the “server”. Every “agent” will need to have an authentication credential that is generated by the server.