You are here
Home > Linux System Administration > OSSEC Install On Centos 7

OSSEC Install On Centos 7

OSSEC Installation On CentOS 7

OSSEC is a a open source host base intrusion detection system (HIDS). You can install it on linux, windows and mac. It allows for both local installs as well as a agent that can be deployed out to multiple systems witha centralized logging system.  It is capable of scanning logs, file intregrity monitoring, and action based responses to threats. This guide covers how to perform a basic install on CentOS. To view their official documentation and site you can visit the github project

Preparing To Install Ossec

Install the packages needed for installation:

yum install -y gcc inotify-tools bind-utils

Change to the source directory to download ossec:

cd /usr/src

Get the newest release

wget -O ossec.2.9.3.tar.gz

Unpack the tar file

tar xfvz  ossec.2.9.3.tar.gz

Change directories:

cd ossec-hids-2.9.3/

Ossec Installation

Start the installer:


Once the installer has been started, it will walk you through a series of options to install OSSEC. Unless you are planning on running agent and server on different servers, select local install


1- What kind of installation do you want (server, agent, local, hybrid or help)? local

- Local installation chosen.

You can select the default installation path or choose another one.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:


Determine if the OSSEC installation should send email notifications

3.1- Do you want e-mail notification? (y/n) [y]: y
 - What's your e-mail address? [email protected]
 - What's your SMTP server ip/host?


The integrity check daemon will check files against a database of md5sums for changes to files:

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

The root kit detection will check for common root kits”

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

Active response will allow OSSEC to response to events and execute ip blocks etc:
3.4- Active response allows you to execute a specific
 command based on the events received. For example,
 you can block an IP address or disable access for
 a specific user.
 More information at:

- Do you want to enable active response? (y/n) [y]: n

- Active response disabled.


3.6- Setting the configuration to analyze the following logs:
 -- /var/log/messages
 -- /var/log/secure
 -- /var/log/maillog

- If you want to monitor any other file, just change
 the ossec.conf and add a new localfile entry.
 Any questions about the configuration can be answered
 by visiting us online at .

--- Press ENTER to continue ---

Use the follow commands to start or stop ossec:

- To start OSSEC HIDS:
 /var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
 /var/ossec/bin/ossec-control stop


This completes the inital install of the package, the configuration can be viewed or modified at /var/ossec/etc/ossec.conf with more granular options for configuration of the platform.

Leave a Reply

Notify of