OSSEC
About Get OSSEC+ Downloads
GitHub Bluesky LinkedIn Facebook X (Twitter)
Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
OSSEC 4.0.0 documentation
Logo
OSSEC 4.0.0 documentation
  • Manual
    • Getting started with OSSEC
    • OSSEC Architecture
    • Supported Systems
    • Installation
      • Installation requirements
      • Manager/Agent Installation
      • Manual Installation
      • Windows Agent Installation
      • Package Installation
      • Compiling OSSEC for a Binary Installation
      • Server Virtual Appliance Installation
      • Unattended Source Installation
      • Compiling the OSSEC Windows Agent on Windows
      • Requirements
      • Compilation
      • Integration and Deployment with cfengine
      • OSSEC Updates
    • Agents
      • Communication between agents and the OSSEC server
      • Managing Agents
      • Agent systems behind NAT or with dynamic IPs (DHCP)
      • Adding an agent with ossec-authd
      • Centralized agent configuration
      • Agentless Monitoring
      • Writing Agentless Scripts
    • Log monitoring/analysis
      • Process Monitoring
      • File Monitoring
    • Syscheck
    • Rootcheck Manual
      • Rootcheck
      • Understanding the Unix policy auditing on OSSEC
    • Rules and Decoders
      • Testing OSSEC rules/decoders
      • CDB List lookups from within Rules
      • Create Custom decoder and rules
      • Directory path loading of rules and decoders
      • Rules Classification
      • Rules Group
    • Output and Alert options
      • Sending alerts via syslog
      • Sending alerts via E-Mail
        • Alerts to a single E-Mail Address
        • Granular E-Mail alerts to many E-Mail addresses
        • Daily E-Mail Reports
      • Storing alerts as JSON
      • Sending output to a Database
        • Configuring MySQL
        • Configuring PgSQL
      • Daily E-Mail Reports
      • Sending output to prelude
    • Active Response
      • Creating Customized Active Responses
      • UNIX: Active Response Configuration
      • Windows: Active Response Configuration
      • Understanding Active Response with FreeBSD
  • Frequently asked questions
    • Agents: FAQ
    • Alerts: FAQ
    • Installation: FAQ
    • Miscellaneous: FAQ
    • OSSEC: FAQ
    • Syscheck: FAQ
    • When the unexpected happens: FAQ
  • User submitted Cookbooks
    • How to restart an agent after changes to the agent.conf:
    • Using filebeat, logstash, and elasticsearch:
  • Build, compile, and not much more
    • install.sh
    • Makefile
    • test-rules:
  • oRFC:
    • oRFC: 1 The Collective Code Construction Contract (C4)
    • oRFC: 2 Coding Style Guide
  • Syntax and Options
    • Regular Expression Syntax
    • Log Analysis Syntax: Rules and Decoders
      • Rules Syntax
      • Decoders Syntax
    • ossec.conf: syntax and options
      • ossec.conf: Active Response Options
      • ossec.conf: Agentless Options
      • ossec.conf: Alerts Options
      • ossec.conf: Client Options
      • ossec.conf: Database Output options
      • ossec.conf: Granular Email options
      • ossec.conf: Global options
      • ossec.conf: Localfile options
      • ossec.conf: Remote Options
      • ossec.conf: Reports options
      • ossec.conf: Rootcheck options
      • ossec.conf: Rules options
      • ossec.conf: Syscheck Options
      • ossec.conf: Syslog Output options
    • agent.conf
    • internal_options.conf: syntax and options
      • internal_options.conf: analysisd
      • internal_options.conf: agent
      • internal_options.conf: dbd
      • internal_options.conf: logcollector
      • internal_options.conf: maild
      • internal_options.conf: monitord
      • internal_options.conf: remoted
      • internal_options.conf: syscheck
      • internal_options.conf: windows
  • Output Formats
    • OSSEC alert log samples
    • JSON Format
    • cef log format:
  • Man pages
    • agent-auth
    • agent_control
    • clear_stats
    • list_agents
    • manage_agents
    • ossec-agentd
    • ossec-agentlessd
    • ossec-analysisd
    • ossec-authd
    • ossec-control
    • ossec-csyslogd
    • ossec-dbd
    • ossec-execd
    • ossec-logcollector
    • ossec-logtest
    • ossec-maild
    • ossec-makelists
    • ossec-monitord
    • ossec-regex
    • ossec-remoted
    • ossec-reportd
    • ossec-syscheckd
    • rootcheck_control
    • syscheck_control
    • syscheck_update
    • util.sh
    • verify-agent-conf
  • Examples
    • Output
Back to top
View this page

User submitted CookbooksΒΆ

Warning

These recipes are user submitted, please review them thoroughly before implementing them in your own environment. No one cares about your environment more than you.

  • How to restart an agent after changes to the agent.conf:
    • Requirements:
    • Details:
    • rules:
    • active response configuration:
  • Using filebeat, logstash, and elasticsearch:
    • Enable json alert output in ossec.conf:
    • Configure filebeat to read alerts.json in filebeat.yml:
    • Configure logstash:
Next
How to restart an agent after changes to the agent.conf:
Previous
When the unexpected happens: FAQ
Copyright © Atomicorp, Inc. 2025
Made with Sphinx and @pradyunsg's Furo