From OSSEC Wiki
| Module | Suposition |
|---|---|
| ossec-analysisd | Master program. Analyzes data from the logs, syscheck,rootcheck, etc. Runs as an unprivileged (ossec) user under chroot. |
| ossec-execd | Execute active responses by calling the configured scripts. Runs as root. |
| ossec-maild | Send e-mail alerts. Runs as an unprivileged user (ossecm) under chroot. |
| ossec-remoted | Server side socket for server/client communications. Runs as an unprivileged user (ossecr) under chroot. |
| ossec-agentd | Agent side socket for server/client communications. Runs as an unprivileged user (ossec) under chroot. |
| ossec-logcollector | Monitor log files and windows event logs (do not use tail). |
| ossec-syscheckd | Does integrity checking and rootkit detection (rootcheck is a module of it). |
| ossec-csyslogd | Client syslog tool to forward OSSEC alerts to remote syslog servers (including SIM/SEMs and log management systems). |
| ossec-monitord | Monitor agent connectivity and compress daily log files. |
- ossec-logcollector on agent machine tails log file & sends to ossec-agent.
- ossec-agent routes the information to the ossec-server (on server system).
- ossec-remoted receives data, uncompress and unencrypt it and sends to analysysd.
- ossec-analysisd detects an actionable issue
- ossec-analysisd actions:
- ossec-analysisd sends information to ossec-execd (if response is configured to run in the server side).
- ossec-analysisd sends information to ossec-remoted (if response is configured to run in the agent).
- ossec-maild monitors analysisd and generate e-mail alert.
- if response is to run in the agent, ossec-remoted sends to ossec-agent and ossec-agent sends it to ossec-execed to run the active response script
- ossec-execd calls an active response script