Install OSSEC – Ubuntu

Over the years i kept increasing the number of servers i manage and although running operations from Windows is a breeze, i setup an Ubuntu 14.10 desktop inside VMWare so i have a local platform for testing new stuff i want to implement, and maybe make things slightly easier since i spend most of my time in the linux terminal.

Today i have been playing with OSSEC, and here’s a quick tutorial on how to get the stuff rolling:

1 – First off you will need a bunch of dependencies. Since my local install is a vanilla desktop, from which i am typing right now, there’s a bunch of things to setup:

apt-get install build-essential apache2 libapache2-mod-php5 apache2-utils zlib1g-dev libssl-dev

If there’s dependencies that you are missing at some point, do yourself a favor and install apt-file. It will make searching for packages that would satisfy that dependency a breeze.

apt-get install apt-file
Let’s say you’re missing zlib.h, all you have to do is apt-file search zlib.h. Done

2 – Get the sources for the server and the web ui from git:

cd /opt

git clone https://github.com/ossec/ossec-hids.git

git clone https://github.com/ossec/ossec-wui.git

3 – Install OSSEC

cd /opt/ossec-hids;./install.sh

The only parameters you would usually have to modify is the e-mail address, and the server type. I chose “local” for my installation, but feel free to type help and read on the different options.

4 – Install ossec-wui – the web interface:

cd /opt/;mv ossec-wui /var/www/html;cd /var/www/html/ossec-wui;./setup.sh

Nothing to modify here, and i suggest you leave the paths the same for both ossec and wui

5 – Fix some permissions stuff:

usermod -a -G ossec www-data

cd /var/www/html/ossec;chgrp www-data tmp;chmod 770 tmp

6 – Start apache;

service apache2 start

7 – Open up the browser, go to http://localhost/ossec-wui and voila, you should see the system logs … logged