Intrusion Detection with OSSEC on Ubuntu: Real-time Security Monitoring
Complete OSSEC implementation guide for Ubuntu covering installation, agent configuration, custom rules, SIEM integration, performance tuning, and enterprise deployment with comprehensive troubleshooting and best practices.
Intrusion Detection with OSSEC on Ubuntu: Real-time Security Monitoring
OSSEC stands as the world's most widely deployed open-source host-based intrusion detection system, providing comprehensive security monitoring through log analysis, file integrity monitoring, rootkit detection, and active response capabilities. This technical guide delivers complete implementation details for deploying OSSEC on Ubuntu systems, from initial installation through enterprise-scale production deployment.
Understanding OSSEC architecture and components
OSSEC operates on a distributed client-server architecture where a central manager processes security events from multiple lightweight agents. The manager houses all detection rules, decoders, and configuration options while maintaining file integrity databases and performing correlation analysis. Agents collect system information with minimal resource overhead (typically under 1% CPU usage and 10-20MB memory), forwarding encrypted data to the manager via UDP port 1514. This architecture enables centralized management of thousands of endpoints while maintaining strong security through pre-shared key authentication and encrypted communications.
The core analysis engine processes logs through three distinct phases. First, pre-decoding extracts basic message components like timestamps and hostnames. Next, decoders apply pattern matching to extract structured data fields such as source IPs, usernames, and protocols. Finally, the rule matching phase evaluates hierarchical rules to generate alerts based on severity levels from 0 to 15. The system stores all components within the /var/ossec/ directory hierarchy, including binaries in /var/ossec/bin/, configuration files in /var/ossec/etc/, detection rules in /var/ossec/rules/, and logs in /var/ossec/logs/.
Key daemons power the system: ossec-analysisd serves as the main correlation processor, ossec-remoted handles agent communications, ossec-logcollector monitors local log files, ossec-syscheckd performs file integrity monitoring, and ossec-monitord tracks system health. These components work together to provide real-time security monitoring across diverse environments including Linux, Windows, Unix variants, and containerized deployments.
Installing OSSEC on Ubuntu systems
Ubuntu systems require specific dependencies before OSSEC installation can proceed. For Ubuntu 20.04 LTS, 22.04 LTS, and 24.04 LTS, the manager needs 1.5GB RAM minimum (2-4GB recommended), 25GB disk space, and network connectivity for agent communications. Begin by installing essential build dependencies:
sudo apt update
sudo apt install -y build-essential gcc make zlib1g-dev libpcre2-dev \
libevent-dev libssl-dev libsystemd-dev unzip wget sendmail inotify-tools
Download the latest OSSEC version from GitHub and compile from source for maximum control:
VERSION=$(curl -s https://api.github.com/repos/ossec/ossec-hids/releases/latest | grep tag_name | cut -d '"' -f 4)
wget https://github.com/ossec/ossec-hids/archive/$VERSION.tar.gz
tar xzf $VERSION.tar.gz
cd ossec-hids-$VERSION/
sudo PCRE2_SYSTEM=yes ZLIB_SYSTEM=yes ./install.sh
During installation, select "server" for the manager, specify /var/ossec as the installation path, enable email notifications with your SMTP server details, activate both file integrity monitoring and rootkit detection, enable active response (with proper IP whitelisting), and configure remote syslog reception on UDP port 514. The installer automatically creates required users (ossec, ossecm, ossecr, ossecn) and sets appropriate directory permissions.
Configure firewall rules for OSSEC communications using UFW:
sudo ufw allow 514/udp comment 'OSSEC syslog'
sudo ufw allow 1514/udp comment 'OSSEC secure agent communication'
sudo ufw allow 1515/tcp comment 'OSSEC agent enrollment (authd)'
Start OSSEC services and enable automatic startup:
sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossec
Configuring managers and agents
The main configuration file /var/ossec/etc/ossec.conf controls all OSSEC behavior. Essential server configuration includes global email settings, remote communication parameters, and alert thresholds:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>admin@yourdomain.com</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossec@yourdomain.com</email_from>
</global>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>udp</protocol>
<local_ip>0.0.0.0</local_ip>
<allowed-ips>10.0.0.0/8</allowed-ips>
<allowed-ips>192.168.0.0/16</allowed-ips>
</remote>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>
</ossec_config>
Agent authentication requires careful key management. On the manager, use /var/ossec/bin/manage_agents to add each agent with its name, IP address, and unique ID. Extract the generated authentication key and import it on the corresponding agent. This pre-shared key mechanism ensures secure communications between agents and the manager. For production environments, automate key distribution through configuration management tools like Ansible or Puppet rather than manual processes.
Agent configuration in /var/ossec/etc/ossec.conf requires minimal settings - primarily the manager's IP address and communication port. After importing the authentication key, restart the agent service to establish connection with the manager. Verify successful connectivity using /var/ossec/bin/agent_control -lc on the manager to list connected agents.
Creating custom rules and decoders
OSSEC rules use XML syntax to define detection patterns and alert conditions. Custom rules belong in /var/ossec/rules/local_rules.xml to preserve them during upgrades. Each rule contains an ID (100000+ for custom rules), severity level (0-15), optional frequency and timeframe parameters, matching conditions, and descriptive information:
<rule id="100200" level="10" frequency="5" timeframe="300">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>SSH brute force attack (5 failed attempts in 300 seconds)</description>
<group>authentication_failed,attack,pci_dss_10.2.4</group>
</rule>
<rule id="100201" level="12">
<if_sid>31100</if_sid>
<regex>SELECT.*FROM|UNION.*SELECT|INSERT.*INTO</regex>
<description>Possible SQL injection attempt</description>
<group>web,attack,sql_injection</group>
</rule>
Rule variables enable sophisticated correlation: frequency triggers after N matches, timeframe sets the time window in seconds, if_matched_sid chains rules together, same_source_ip requires events from identical sources, and regex patterns match specific log content. Test custom rules using /var/ossec/bin/ossec-logtest before deployment:
echo "Dec 25 20:45:02 server sshd[1234]: Failed password for root from 192.168.1.100" | /var/ossec/bin/ossec-logtest
The testing utility shows each processing phase - pre-decoding, decoder matching, and rule evaluation - helping debug rule logic and ensure proper alert generation.
Configuring comprehensive alerting
Alert configuration determines how OSSEC notifies administrators about security events. The system supports multiple notification channels with granular control over which events generate alerts. Email alerts remain the primary notification method, configured with SMTP settings and alert thresholds based on severity levels.
Granular email configuration enables role-based alerting:
<ossec_config>
<!-- High severity to security team -->
<email_alerts>
<email_to>security@example.com</email_to>
<level>12</level>
<do_not_delay />
<do_not_group />
</email_alerts>
<!-- File integrity alerts to sysadmin -->
<email_alerts>
<email_to>sysadmin@example.com</email_to>
<group>syscheck</group>
</email_alerts>
<!-- Database-specific alerts -->
<email_alerts>
<email_to>db-admin@example.com</email_to>
<rule_id>100201,100202,100203</rule_id>
</email_alerts>
</ossec_config>
Syslog integration forwards alerts to centralized logging infrastructure or SIEM platforms. Configure multiple syslog outputs with different formats (default, CEF, JSON) and filtering criteria:
<syslog_output>
<server>10.1.1.100</server>
<port>514</port>
<format>default</format>
</syslog_output>
<syslog_output>
<server>10.1.1.200</server>
<port>515</port>
<level>10</level>
<format>cef</format>
</syslog_output>
Alert levels from 0-15 categorize events by severity, with level 0 ignoring events entirely, levels 2-3 for system notifications, levels 4-6 for user errors, levels 7-10 for suspicious activity, and levels 11-15 for confirmed attacks requiring immediate response.
Monitoring logs and file integrity
Log monitoring configuration specifies which files OSSEC analyzes and their expected formats. System logs, application logs, and command outputs all require specific configuration entries:
<ossec_config>
<!-- System logs -->
<localfile>
<location>/var/log/syslog</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/auth.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Apache logs -->
<localfile>
<location>/var/log/apache2/access.log</location>
<log_format>apache</log_format>
</localfile>
<!-- Multi-line application logs -->
<localfile>
<location>/var/log/myapp/application.log</location>
<log_format>multi-line</log_format>
<log_format_type>5</log_format_type>
</localfile>
<!-- Command monitoring -->
<localfile>
<location>command</location>
<command>df -h</command>
<alias>disk-space-check</alias>
<frequency>3600</frequency>
<log_format>command</log_format>
</localfile>
</ossec_config>
File integrity monitoring detects unauthorized changes to critical system files. Configure syscheck with appropriate monitoring frequencies, real-time detection for sensitive directories, and exclusion patterns to avoid false positives:
<syscheck>
<frequency>79200</frequency>
<directories realtime="yes" check_all="yes" report_changes="yes">/etc</directories>
<directories realtime="yes" check_all="yes">/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/var/www/html</directories>
<ignore>/etc/mtab</ignore>
<ignore type="sregex">\.log$|\.tmp$</ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>yes</scan_on_start>
<skip_nfs>yes</skip_nfs>
<nodiff>/etc/ssl/private</nodiff>
</syscheck>
Real-time monitoring using inotify provides immediate detection of file modifications in critical directories. The system maintains checksums (MD5/SHA1) of monitored files, comparing them during scheduled scans or real-time events to identify changes.
Advanced security features and active response
Active response enables automated reactions to security events, from blocking attacking IPs to executing custom scripts. Configure commands and their execution conditions carefully to avoid self-inflicted denial of service:
<ossec_config>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>all</location>
<rules_group>authentication_failed,authentication_failures</rules_group>
<timeout>600</timeout>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>
</ossec_config>
Rootkit detection scans for system compromises through multiple detection methods. The rootcheck module examines system calls, network interfaces, process lists, and file modifications associated with known rootkits. Configure scanning frequency and specific checks:
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>36000</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
Policy monitoring validates system configurations against security benchmarks like CIS controls. OSSEC includes audit files for various platforms that check SSH configurations, password policies, kernel parameters, and other security settings.
Integrating with SIEM platforms
OSSEC integrates seamlessly with major SIEM platforms through syslog forwarding and specialized connectors. For Elasticsearch/ELK Stack integration, configure syslog output to Logstash:
<syslog_output>
<server>127.0.0.1</server>
<port>5001</port>
<format>default</format>
</syslog_output>
Create a Logstash pipeline that parses OSSEC alerts and forwards them to Elasticsearch:
input {
udp {
port => 5001
type => "ossec"
}
}
filter {
if [type] == "ossec" {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; %{GREEDYDATA:Details}"
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
Splunk integration requires the Splunk Add-on for OSSEC and proper source type configuration. Configure OSSEC to send logs in default format (not Splunk format) for better Common Information Model mapping. For Graylog, use CEF format output and install the CEF UDP Input plugin.
The Wazuh fork offers enhanced integration capabilities including a RESTful API, native Elasticsearch support, and improved multi-threading. Migration from OSSEC to Wazuh preserves existing configurations while adding cluster support, TCP agent communications, and anti-flooding mechanisms.
Performance optimization strategies
Large deployments require careful performance tuning to handle thousands of agents efficiently. Key optimization parameters in /var/ossec/etc/internal_options.conf control resource usage:
# Syscheck performance tuning
syscheck.sleep=2
syscheck.sleep_after=15
# Analysis engine performance
analysisd.log_fw=1
analysisd.debug=0
analysisd.queue_size=16384
analysisd.worker_pool_size=4
# Agent buffer settings
agent.buffer=yes
agent.recv_timeout=60
# Remote daemon settings
remoted.queue_size=131072
Memory optimization techniques include adjusting syscheck frequency (minimum 300 seconds recommended), limiting file monitoring scope, and disabling unnecessary features like full-text search for high-volume environments. Database performance improves with proper indexing, regular maintenance, and appropriate retention policies.
Network bandwidth optimization becomes critical with hundreds of agents. Enable compression, use TCP instead of UDP for reliability, implement agent grouping, and consider hierarchical deployments with multiple managers for geographic distribution.
Disk I/O optimization involves mounting file systems with noatime option, using SSD storage for logs and databases, implementing proper log rotation, and archiving old data to secondary storage.
Operational procedures and maintenance
Production deployments require systematic maintenance procedures. Implement automated log rotation to prevent disk exhaustion:
# /etc/logrotate.d/ossec
/var/ossec/logs/*.log {
weekly
missingok
rotate 12
compress
notifempty
create 644 ossec ossec
postrotate
/var/ossec/bin/ossec-control restart > /dev/null 2>&1 || true
endscript
}
Create comprehensive backup procedures for disaster recovery:
#!/bin/bash
BACKUP_DIR="/backup/ossec/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
# Essential configuration files
tar -czf $BACKUP_DIR/ossec_config.tar.gz \
/var/ossec/etc/ossec.conf \
/var/ossec/etc/client.keys \
/var/ossec/etc/local_rules.xml \
/var/ossec/etc/local_decoder.xml \
/var/ossec/etc/shared/ \
/var/ossec/rules/
# Agent databases
tar -czf $BACKUP_DIR/ossec_data.tar.gz \
/var/ossec/queue/syscheck \
/var/ossec/queue/rootcheck \
/var/ossec/queue/rids
Health monitoring scripts should check process status, disk usage, agent connectivity, and error rates. Automate these checks through cron jobs and integrate with existing monitoring systems for alerting on OSSEC service issues.
Troubleshooting common issues
Agent connectivity problems typically stem from network issues, authentication failures, or misconfiguration. Verify UDP port 1514 connectivity using netcat, check firewall rules on both manager and agents, confirm time synchronization between systems, and validate authentication keys match between manager and agent.
Common error resolutions include clearing duplicate counter errors by removing /var/ossec/queue/rids/* files, fixing permission problems with proper ownership settings, addressing "Queue not accessible" errors by restarting ossec-analysisd, and resolving high CPU usage by adjusting syscheck frequency and scope.
Use ossec-logtest extensively for rule debugging:
# Test specific log entries
echo "Feb 11 13:42:05 server sshd[12345]: Failed password for invalid user admin" | /var/ossec/bin/ossec-logtest
# Debug with verbose output
/var/ossec/bin/ossec-logtest -v
Performance issues often result from excessive log volume, too frequent file integrity scans, or inadequate system resources. Monitor OSSEC logs for "events per second" messages, adjust scanning frequencies based on system load, and consider distributing agents across multiple managers for large deployments.
Production deployment best practices
Security hardening for OSSEC deployments starts with proper network segmentation. Isolate the OSSEC manager on a dedicated management network, restrict agent communication to UDP port 1514 only, implement IP whitelisting for agent connections, disable unnecessary services on the manager system, and enable SSL/TLS for web interface access.
Implement defense in depth by combining OSSEC with complementary security controls. Deploy network-based IDS (Snort/Suricata) for perimeter monitoring while OSSEC handles host-level detection. Use OSSEC's file integrity monitoring alongside backup solutions for data protection. Integrate OSSEC alerts with incident response procedures and security orchestration platforms.
Automation reduces deployment complexity and ensures consistency. Use configuration management tools like Ansible for agent deployment:
- name: Deploy OSSEC Agent
hosts: all
become: yes
vars:
ossec_server_ip: "10.10.10.10"
tasks:
- name: Install OSSEC agent
package:
name: ossec-hids-agent
state: present
- name: Configure ossec agent
template:
src: ossec.conf.j2
dest: /var/ossec/etc/ossec.conf
notify: restart ossec-agent
- name: Deploy agent key
copy:
content: "{{ ossec_agent_key }}"
dest: /var/ossec/etc/client.keys
owner: ossec
mode: '0640'
OSSEC versus alternative solutions
OSSEC excels where host-level visibility matters most. Unlike network-based IDS solutions (Snort/Suricata) that monitor traffic, OSSEC detects file changes, analyzes system logs, and identifies rootkits directly on endpoints. This complementary approach catches insider threats and post-compromise activities that network monitoring misses.
Compared to simple file integrity tools like AIDE or Tripwire, OSSEC provides comprehensive security monitoring beyond just file changes. The integrated log analysis, active response, and centralized management make OSSEC suitable for enterprise deployments where standalone FIM tools fall short. Real-time monitoring capabilities and correlation rules enable faster threat detection than scheduled FIM scans.
Against reactive tools like Fail2ban, OSSEC offers proactive detection through comprehensive monitoring rather than just pattern-based blocking. The broader scope includes system-wide visibility, advanced correlation across multiple events, and detection of sophisticated attacks beyond simple brute force attempts. OSSEC's centralized architecture scales better for enterprise environments compared to Fail2ban's host-specific focus.
Real-world deployment scenarios
Enterprise deployments demonstrate OSSEC's versatility across industries. Financial services organizations use OSSEC for PCI-DSS compliance monitoring, tracking access to cardholder data environments, detecting unauthorized changes to payment processing systems, and generating audit trails for compliance reporting. Healthcare providers implement OSSEC for HIPAA compliance, monitoring access to patient records, ensuring PHI protection, and maintaining audit logs for regulatory requirements.
Cloud deployments leverage OSSEC's lightweight agents for elastic environments. AWS implementations use Systems Manager Parameter Store for key distribution, Auto Scaling groups for dynamic agent deployment, and CloudWatch integration for centralized monitoring. Container monitoring employs DaemonSets in Kubernetes to deploy OSSEC agents across nodes, providing visibility into container runtime security.
Large-scale deployments successfully monitor thousands of agents with proper architecture. One documented deployment manages 6,000+ agents using multiple OSSEC managers with load balancing, hierarchical forwarding for geographic distribution, and automated provisioning through configuration management. Performance metrics show single managers handling 300,000+ alerts daily with appropriate tuning.
Conclusion
OSSEC provides enterprise-grade host intrusion detection with the flexibility to adapt to diverse security requirements. The combination of real-time file integrity monitoring, comprehensive log analysis, and active response capabilities creates a robust security monitoring platform suitable for organizations of any size. Proper implementation following these technical guidelines ensures effective threat detection while maintaining system performance.
Success with OSSEC requires understanding its architecture, carefully planning deployment strategies, implementing proper monitoring and maintenance procedures, and continuously tuning rules based on environmental threats. The open-source nature allows customization for specific security needs while the active community provides ongoing support and rule updates. Organizations seeking comprehensive host-based security monitoring will find OSSEC delivers enterprise capabilities with minimal resource overhead when properly configured and maintained.