OSSEC is a free and open source log analysis and host-based intrusion detection system (IDS). It has a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, centralized policy enforcement, rootkit detection, real-time alerting, and active response.
It works on most operationg systems, including Linux, Windows, Solaris, FreeBSD and OpenBSD. It also has an easy to setup centralized architecture, allowing multiple servers to be monitored from one central node.
It provides a pretty complete coverage if you are looking for an endpoint (server) security solution.
If you have not used OSSEC before, I recommend reading my guide to get started:
https://dcid.me/notes/my-ossec-setup-guide
OSSEC has been my "baby" for many years and I still use it heavily on all my servers. It is a project that I started back in 2003 and sold to
Third Brigade (Trend Micro) in 2008. It was one of the first open source acquisitions and one that worked very well for the project as it allowed
me to focus on it full time for years.
OSSEC is very easy to install and takes less than 5 minutes if you are doing it on just one server:
1- Download OSSEC:
# wget https://dcid.me/ossec-packages/ossec-hids-latest.tar.gz
2- Install gcc and make. A simple “apt-get install gcc make” on Ubuntu or “yum install gcc make” on CentOS/RedHat will do it for you.
3- Run the script ./install.sh. It will guide you through the installation process.
# cd *ossec*
# ./install.sh
4- The install script will create everything necessary and get you up and running in a few minutes. Once completed, just run ossec-control to start OSSEC:
# /var/ossec/bin/ossec-control start
5- If you are running it on multiple servers, make sure to install the manager first and the agent install on the others. Use the manage_agents tool to create the right encryption keys.
6- Enjoy.
You can find all the OSSEC versions here: