11 Mar 2011
OSSEC (Open Source SECurity) is open source correlation and analysis engine. It has server software and agents.
OSSEC Server works under Linux. First of all security administrator should determine if he needs to store information in database or not. If yes it's necessary to install database engine (for example, MySQL or PostgreSQL) and activate database support (make setdb) before OSSEC installing. Also all alerts will be stored in OSSEC log file ossec-alerts.log.
By default OSSEC Server sends alerts by e-mail. If your mail server listens non-standart port you should make changes to file sendmail.c before OSSEC installing.
OSSEC has additional installation package Web User Interface. You need to install Apache and PHP libraries in order to use it. Then you should configure HTTP Basic authentication and HTTP over TLS for secure communication.
After installation completed OSSEC is ready to receive events for correlation and analysis from different systems. OSSEC has a lot of default decoders and correlation rules for Linux, Apache, MySQL, PostgreSQL, Cisco, Symantec, VMWare etc. You can also create custom rules according to your needs.
Event sources can send logs to OSSEC by protocol Syslog. Also it can be useful to use OSSEC agents for log transfer. The profit of agents usage includes integrity control of critical system and configuration files.
We will review several use cases with OSSEC in the next article.