OSSEC brief introduction:
OSSEC is an open-source Intrusion detection system that includes log analysis, comprehensive detection, and rook-kit detection. As an HIDS, OSSEC should be installed in a system that implements monitoring. In addition, you do not need to install the full version of OSSEC. If multiple computers have OSSEC installed, you can run it in Client/Server mode. The client sends data back to the server for analysis through the client program. Monitoring Multiple systems on one computer is quite economical and practical for enterprises or home users.
Environment: centos5.5 x86_64
Ossec-hids-2.7-beta1
10.10.10.240 ossec server
10.10.10.141 ossec client1 download package wget http://www.ossec.net/files/ossec-hids-2.7-beta-1.tar.gz
1. Install ossec serverConfigure source code to make it compatible with mysql [root @ logserver src] # tar-xf ossec-hids-2.7-beta-1.tar.gz
[Root @ logserver src] # cd ossec-hids-2.7-beta1/
[Root @ logserver ossec-hids-2.7-beta1] # cd src
[Root @ logserver src] # make setdb
Info: Compiled with MySQL support [root @ logserver ossec-hids-2.7-beta1] #./install. sh [root @ logserver ossec-hids-2.7-beta1] #/var/ossec/bin/ossec-control enable database
[Root @ logserver ossec-hids-2.7-beta1] # mysql-u root-p
Mysql> create database ossec;
Query OK, 1 row affected (0.04 sec)
Mysql> grant INSERT, SELECT, UPDATE, CREATE, DELETE, EXECUTE on ossec. * to ossecuser @ identified by 'oscpass ';
Query OK, 0 rows affected (0.10 sec) mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec) [root @ logserver ossec-hids-2.7-beta1] # cd contrib/[root @ logserver contrib] # vim ossec2mysql. conf
# Params used by OSSEC2BASED
Dbhost = localhost
Database = ossecuser
Debug = 5
Dbport = 3306
Dbpasswd = ossecpass
Dbuser = ossec
Daemonize = 0
Sensor = centralserver
Hids_inter> import data www.2cto.com [root @ logserver contrib] # mysql-u ossecuser-p </usr/local/src/ossec-hids-2.7-beta1/contrib/ossec2mysql. SQL add <database_output>
<Hostname> 10.10.10.20.<Username> ossecuser </username>
<Password> ossecpass </password>
<Database> ossec </database>
<Type> mysql </type>
</Database_output>
</Ossec_config> 2. Start ossec [root @ logserver etc] #/var/ossec/bin/ossec-control restart to add the agent key
Ii. Install ossec cilentTar xf ossec-hids-2.7-beta-1.tar.gz cd ossec-hids-2.7-beta1/./install. sh --> cn --> client/usr/local/ossec/bin/manage_agents
3. Add the ossec client to the ossec server
Server:/Usr/local/ossec/bin/manage_agentsAnameIPE001cpoy keyqclient/usr/local/ossec/bin/manage_agents --> I --> paste key --> y/usr/local/ossec/bin/ ossec-control start
Starting ossec hids v2.7-beta1 (by Trend Micro Inc .)...
Started ossec-exmcm...
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.
You have new mail in/var/spool/mail/root [root @ redmine src] # netstat-antup | grep ossec
Udp 0 0 10.10.10.141: 35928 10.10.10.240: 1514 ESTABLISHED 28558/ossec-agentd
Iv. Installation Management InterfaceWget http://www.ossec.net/files/ossec-wui-0.3.tar.gz?root@db src] # tar xf ossec-wui-0.3.tar.gz [root @ db src] # cd ossec-wui-0.3
[Root @ db ossec-wui-0.3] # ls
CONTRIB css htaccess_def.txt img index. php js lib LICENSE ossec_conf.php README. search setup. sh site
[Root @ db ossec-wui-0.3] # cp-Rf */usr/local/ossec/
[Root @ db ossec-wui-0.3] # cd/usr/local/ossec/run the configuration script [root @ db ossec] #. /setup. sh configure the ossec permission [root @ db ossec] # chgrp apache tmp/[root @ db ossec] # chmod 770-R tmp/[root @ db ossec] # cat/etc/groupapache: x: 48: ossec [root @ db ossec] # yum install-y php. x86_64 php-cli.x86_64 php-devel.x86_64 httpdyum install-y httpd php add virtual directory [root @ db ~] # Cat/etc/httpd/conf. d/vdoc. conf
Alias/ossec/"/usr/local/ossec /"
<Directory "/usr/local/ossec/">
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
# Order deny, allow
# Deny from all
# Allow from 127.0.0.1
AuthName "ossec auth"
AuthType Basic
AuthUserFile/usr/local/ossec/. htpasswd
Require valid-user </Directory> ossec Preview
