OSSEC Processes and DataΒΆ

Module

Supposition

ossec-analysisd

Master program. Analyzes data from the logs, syscheck,rootcheck, etc. Runs as an unprivileged (ossec) user under chroot.

ossec-execd

Execute active responses by calling the configured scripts. Runs as root.

ossec-maild

Send e-mail alerts. Runs as an unprivileged user (ossecm) under chroot.

ossec-remoted

Server side socket for server/client communications. Runs as an unprivileged user (ossecr) under chroot.

ossec-agentd

Agent side socket for server/client communications. Runs as an unprivileged user (ossec) under chroot.

ossec-logcollector

Monitor log files and windows event logs (do not use tail).

ossec-syscheckd

Does integrity checking and rootkit detection (rootcheck is a module of it).

ossec-csyslogd

Client syslog tool to forward OSSEC alerts to remote syslog servers (including SIM/SEMs and log management systems).

ossec-monitord

Monitor agent connectivity and compress daily log files.

  • ossec-logcollector on agent machine tails log file & sends to ossec-agent.

  • ossec-agent routes the information to the ossec-server (on server system).

  • ossec-remoted receives data, uncompress and unencrypt it and sends to analysisd.

  • ossec-analysisd detects an actionable issue.

  • ossec-analysisd actions:

  • ossec-analysisd sends information to ossec-execd (if response is configured to run in the server side).

  • ossec-analysisd sends information to ossec-remoted (if response is configured to run in the agent).

  • ossec-maild monitors analysisd and generate e-mail alert.

  • If active response is enabled on the agent, ossec-remoted on the manager sends the active response to ossec-agent on the agent and ossec-agent sends it to ossec-execed.

  • ossec-execd calls an active response script