OSSEC is an open-source intrusion detection system.





The primary config file is /var/ossec/etc/ossec.conf. It has sane defaults.

The docs show a number of useful additional configs.

(Note: I suspect OSSEC wants IP addresses because it’s chroot’d. I suspect that we could use hostnames if we added them to /var/ossec/etc/hosts (or hard link /etc/hosts to that), but I haven’t tested this.)

Custom Rules

Add custom rules to /var/ossec/rules/local_rules.xml. Other files may be overwritten during OSSEC upgrades.

Test the config with:

# /var/ossec/bin/ossec-logtest -t

We can also test how OSSEC evaluates a particular log line, like:

# /var/ossec/bin/ossec-logtest
2016/06/15 15:46:32 ossec-testrule: INFO: Reading local decoder file.
2016/06/15 15:46:32 ossec-testrule: INFO: Started (pid: 4043).
ossec-testrule: Type one log per line.

How do I stop syscheck alerts during system updates?

There is no easy way to do this, but there are work-arounds. Stop the OSSEC processes on the manager, and run /var/ossec/bin/syscheck_control -u AGENT_ID. This will clear the syscheck database for the agent, and the next time syscheck runs it will create a new baseline. Next, start the OSSEC processes on the manager. Once the system update is complete, run a syscheck scan on that agent. The database will be populated with new values, and should not trigger “file modified” alarms.