Skip to content Skip to site navigation Skip to service navigation

Build OSSEC from Source

These instructions explain how to install OSSEC from source. The provided configuration may not be appropriate for all classes of machines.

  1. If not already installed, install the Splunk Universal Forwarder. If already installed, proceed to step five.
  2. Go to Splunk Universal Forwarder for Linux Servers for installation and configuration instructions. Be sure to set a valid index in inputs.conf, as explained in the instructions.
    Note:  Cloud-based and private-network hosts forward logs to a host they can connect to internally using rsyslog. The rsyslog host then forwards all logs to Splunk using Splunk Universal Forwarder. This requires a privileged connection, like a VPN connection.
    For more information about rsyslog, see Splunk via rsyslog for Linux Servers.
  3. Add the following stanzas to /opt/splunkforwarder/etc/system/local/inputs.conf in order to configure the forwarding of logs from OSSEC to Splunk:
    [monitor:///var/ossec/logs/alerts/alerts.log]​
    disabled=0
    sourcetype=ossec_alerts
    
    [monitor:///var/ossec/logs/ossec.log]​
    disabled=0​
    sourcetype=ossec_log​
    
    [monitor:///var/ossec/logs/active-responses.log]​
    disabled=0​
    sourcetype=ossec_ar​
    
  4. Restart the Splunk forwarder to pick up the new changes.
    sudo /opt/splunkforwarder/bin/splunk restart
  5. Download and extract the "Latest Stable Release" OSSEC tarball  from https://ossec.github.io/downloads.html.
    Example:  Our latest tested version is: OSSEC 2.9.1 tarball
  6. Change into the extracted directory, review and run install.sh.
  7. Choose ‘en’ for English.
  8. Press ‘enter’ to continue (must have a C compiler).
  9. Choose local install.
  10. Choose install location - /var/ossec.
  11. Choose ‘n’ for email notification.
  12. Choose ‘y’ for integrity check.
  13. Choose ‘y’ for rootkit.
  14. Choose ‘n’ for active response.
  15. Press ‘enter’ to continue with build.
  16. Review the instructions on how to start OSSEC, then press ‘enter’ to continue.
  17. Stop the OSSEC service while you are configuring it:
    service ossec stop
  18. Enter this command to back-up the configuration file:​
    mv /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.2.9.backup
    
  19. Copy the Stanford-provided configuration file to /var/ossec/etc/ossec.conf.
    Example: OSSEC 2.9 configuration file
  20. Update the /var/ossec/etc/ossec.conf configuration file.
    Important Note:
    • <ignore> statements may not work to exclude a directory from scanning, if the parent directory is included for scanning.
  21. Start the OSSEC service when you are done configuring it:
    service ossec start
  22. Confirm the OSSEC service is running normally. This can be done by checking the local status of the OSSEC service in /var/ossec/logs/alerts/alerts.log. As soon as the service starts, a log like this should appear in the log file:
    2017 Jun 29 07:52:27 basecamp->ossec-monitord 
    Rule: 502 (level 3) -> 'Ossec server started.' 
    ossec: Ossec started.
  23. After about 15 minutes of operation, new entries should appear in the log file showing that initial system checks were completed by OSSEC.
  24. Verify that logs are being forwarded to Splunk using a simple search. For example, if your hostname is ‘stanford555’, your search will look like this:​
    host=stanford555 sourcetype=ossec_alerts
    

For more information about searching in Splunk, see How to Log into Splunk and Perform a Search.

Last modified February 23, 2018