Docs / Security / How to Set Up OSSEC Intrusion Detection System

How to Set Up OSSEC Intrusion Detection System

By Admin · Mar 2, 2026 · Updated Apr 24, 2026 · 29 views · 3 min read

How to Set Up OSSEC Intrusion Detection System

OSSEC is an open-source host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, rootkit detection, real-time alerting, and active response. Installing OSSEC on your Breeze instance gives you comprehensive visibility into security events.

Installing Dependencies

On Ubuntu or Debian:

sudo apt update
sudo apt install -y build-essential gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget

On AlmaLinux or Rocky Linux:

sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y libevent-devel zlib-devel openssl-devel pcre2-devel wget

Downloading and Installing OSSEC

wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz
tar -xzf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh

During installation, select local for a standalone Breeze instance or server if you plan to monitor multiple servers. Accept the defaults for email notifications and active response.

Key Configuration File

The main configuration file is /var/ossec/etc/ossec.conf. Key sections include:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>admin@yourdomain.com</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossec@yourdomain.com</email_from>
  </global>

  <syscheck>
    <frequency>7200</frequency>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/resolv.conf</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
</ossec_config>

Configuring Monitored Log Files

Add log files to monitor in ossec.conf:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/access.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/syslog</location>
</localfile>

Starting and Managing OSSEC

sudo /var/ossec/bin/ossec-control start
sudo /var/ossec/bin/ossec-control status
sudo /var/ossec/bin/ossec-control restart

Active Response Configuration

OSSEC can automatically block attacking IPs. Enable firewall-drop in ossec.conf:

<active-response>
  <command>firewall-drop</command>
  <location>local</location>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

Reviewing Alerts

OSSEC stores alerts in /var/ossec/logs/alerts/alerts.log. Use the built-in tools to query them:

sudo cat /var/ossec/logs/alerts/alerts.log | tail -50
sudo /var/ossec/bin/ossec-logtest

Best Practices

  • Tune alert levels — adjust thresholds to reduce false positives without missing real threats
  • Enable file integrity monitoring — watch critical system directories for unauthorized changes
  • Set up email alerts — receive immediate notifications for high-severity events
  • Review logs daily — check the alerts log and investigate suspicious patterns
  • Keep rules updated — update OSSEC rules regularly to detect the latest attack patterns

OSSEC provides a robust security monitoring layer for your Breeze instance, catching intrusion attempts and unauthorized changes in real time.

Was this article helpful?

Related Articles