OSSEC Processes and DataΒΆ
Module |
Supposition |
|---|---|
ossec-analysisd |
Master program. Analyzes data from the logs, syscheck,rootcheck, etc. Runs as an unprivileged (ossec) user under chroot. |
ossec-execd |
Execute active responses by calling the configured scripts. Runs as root. |
ossec-maild |
Send e-mail alerts. Runs as an unprivileged user (ossecm) under chroot. |
ossec-remoted |
Server side socket for server/client communications. Runs as an unprivileged user (ossecr) under chroot. |
ossec-agentd |
Agent side socket for server/client communications. Runs as an unprivileged user (ossec) under chroot. |
ossec-logcollector |
Monitor log files and windows event logs (do not use tail). |
ossec-syscheckd |
Does integrity checking and rootkit detection (rootcheck is a module of it). |
ossec-csyslogd |
Client syslog tool to forward OSSEC alerts to remote syslog servers (including SIM/SEMs and log management systems). |
ossec-monitord |
Monitor agent connectivity and compress daily log files. |
ossec-logcollector on agent machine tails log file & sends to ossec-agent.
ossec-agent routes the information to the ossec-server (on server system).
ossec-remoted receives data, uncompress and unencrypt it and sends to analysisd.
ossec-analysisd detects an actionable issue.
ossec-analysisd actions:
ossec-analysisd sends information to ossec-execd (if response is configured to run in the server side).
ossec-analysisd sends information to ossec-remoted (if response is configured to run in the agent).
ossec-maild monitors analysisd and generate e-mail alert.
If active response is enabled on the agent, ossec-remoted on the manager sends the active response to ossec-agent on the agent and ossec-agent sends it to ossec-execed.
ossec-execd calls an active response script