These instructions explain how to install OSSEC from source. The provided configuration may not be appropriate for all classes of machines.
- If not already installed, install the Splunk Universal Forwarder. If already installed, proceed to step five.
- Go to Splunk Universal Forwarder for Linux Servers for installation and configuration instructions. Be sure to set a valid index in inputs.conf, as explained in the instructions.
Note: Cloud-based and private-network hosts forward logs to a host they can connect to internally using rsyslog. The rsyslog host then forwards all logs to Splunk using Splunk Universal Forwarder. This requires a privileged connection, like a VPN connection.
For more information about rsyslog, see Splunk via rsyslog for Linux Servers.
- Add the following stanzas to /opt/splunkforwarder/etc/system/local/inputs.conf in order to configure the forwarding of logs from OSSEC to Splunk:
[monitor:///var/ossec/logs/alerts/alerts.log] disabled=0 sourcetype=ossec_alerts [monitor:///var/ossec/logs/ossec.log] disabled=0 sourcetype=ossec_log [monitor:///var/ossec/logs/active-responses.log] disabled=0 sourcetype=ossec_ar
- Restart the Splunk forwarder to pick up the new changes.
sudo /opt/splunkforwarder/bin/splunk restart
- Download and extract the "Latest Stable Release" OSSEC tarball from https://ossec.github.io/downloads.html.
Example: Our latest tested version is: OSSEC 2.9.1 tarball
- Change into the extracted directory, review and run install.sh.
- Choose ‘en’ for English.
- Press ‘enter’ to continue (must have a C compiler).
- Choose local install.
- Choose install location - /var/ossec.
- Choose ‘n’ for email notification.
- Choose ‘y’ for integrity check.
- Choose ‘y’ for rootkit.
- Choose ‘n’ for active response.
- Press ‘enter’ to continue with build.
- Review the instructions on how to start OSSEC, then press ‘enter’ to continue.
- Stop the OSSEC service while you are configuring it:
service ossec stop
- Enter this command to back-up the configuration file:
mv /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.2.9.backup
- Copy the Stanford-provided configuration file to /var/ossec/etc/ossec.conf.
Example: OSSEC 2.9 configuration file
- Update the /var/ossec/etc/ossec.conf configuration file.
- <ignore> statements may not work to exclude a directory from scanning, if the parent directory is included for scanning.
- Start the OSSEC service when you are done configuring it:
service ossec start
- Confirm the OSSEC service is running normally. This can be done by checking the local status of the OSSEC service in /var/ossec/logs/alerts/alerts.log. As soon as the service starts, a log like this should appear in the log file:
2017 Jun 29 07:52:27 basecamp->ossec-monitord Rule: 502 (level 3) -> 'Ossec server started.' ossec: Ossec started.
- After about 15 minutes of operation, new entries should appear in the log file showing that initial system checks were completed by OSSEC.
- Verify that logs are being forwarded to Splunk using a simple search. For example, if your hostname is ‘stanford555’, your search will look like this:
For more information about searching in Splunk, see How to Log into Splunk and Perform a Search.