OSSEC — Open Source Host-Based Intrusion Detection System

Introduction

OSSEC is one of the most widely deployed open-source host-based intrusion detection systems. It provides log analysis, file integrity monitoring, Windows registry monitoring, rootkit detection, real-time alerting, and active response capabilities. It runs on Linux, Windows, macOS, and BSD, with a centralized manager that collects and correlates events from agents across the infrastructure.

What OSSEC Does

• Performs real-time log analysis and correlation from system logs, application logs, and event logs
• Monitors file integrity by detecting unauthorized changes to critical system files
• Detects rootkits by checking for known signatures and anomalous system behavior
• Executes active responses such as blocking attacker IPs via firewall rules
• Provides centralized management with a server that aggregates alerts from distributed agents

Architecture Overview

OSSEC uses a client-server architecture. The OSSEC server (manager) receives events from OSSEC agents installed on monitored hosts. Agents collect logs, monitor file changes, and run rootkit checks locally, then send compressed and encrypted events to the server over UDP port 1514. The server runs decoders to parse log formats, applies rules to generate alerts, and can trigger active response scripts. All communication between agents and the server is authenticated and encrypted using pre-shared keys.

Self-Hosting & Configuration

• Install the server on a dedicated Linux host using the interactive install script
• Deploy agents on monitored systems (Linux, Windows, macOS) and register them with the server
• Configure monitored log files and directories in /var/ossec/etc/ossec.conf
• Define custom decoder and rule XML files for application-specific log parsing
• Set up email alerts or syslog forwarding for integration with SIEM platforms

Key Features

• Multi-platform agent support: Linux, Windows, macOS, BSD, and Solaris
• Pre-built decoders for common log formats (syslog, Apache, nginx, SSH, Windows Event Log)
• File integrity monitoring with real-time and scheduled scan modes
• Active response framework that can block IPs, disable accounts, or run custom scripts
• PCI-DSS, HIPAA, and NIST 800-53 compliance mapping for audit requirements

Comparison with Similar Tools

• Wazuh — a fork of OSSEC with a modern web UI and extended features; OSSEC is the original upstream project
• Falco — runtime security for containers using eBPF; OSSEC focuses on host-level log analysis and file integrity
• AIDE — file integrity checker only; OSSEC adds log analysis, rootkit detection, and active response
• Tripwire — commercial FIM tool; OSSEC is fully open source with broader detection capabilities

FAQ

Q: What is the difference between OSSEC and Wazuh? A: Wazuh started as a fork of OSSEC and added a web UI, REST API, Elastic Stack integration, and extended rule sets. OSSEC remains the original project with a lighter footprint.

Q: Does OSSEC work on Windows? A: Yes. OSSEC has a native Windows agent that monitors Windows Event Logs, registry changes, and file integrity.

Q: How does active response work? A: When an alert matches a configured active response rule, OSSEC executes a script on the agent or server — for example, adding a firewall rule to block the source IP for a defined duration.

Q: Can OSSEC forward alerts to a SIEM? A: Yes. OSSEC can output alerts in JSON, syslog, or CEF format for forwarding to Splunk, Elastic, or any SIEM that accepts syslog input.

Sources

• https://github.com/ossec/ossec-hids
• https://www.ossec.net