Host-based Intrusion Detection System OSSEC

While on my co-op, I was tasked to deploy a HIDS on the servers in order to comply with the information security standard. The previous co-op student had started implementing OSSEC, which stands for Open Source Security. One of the major “selling points” was that it is freeware (GNU General Public License (version 3)). [1]

“OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.” [1]

The server was relatively easy to set up (I wasn’t that comfortable with Ubuntu when I first started) and the OSSEC agent was very easy to install. First, you set up the server and create agents that have a hostname, and IP address, and an ID that you give them. Once you have the agents registered on the server, you extract the security key from the server and copy/paste from PuTTY into the OSSEC Windows agent window. After that it’s as simple as starting up the agent to begin protecting the server.

OSSEC saves daily log files in a compressed format on the server (.tar.gz if I remember correctly). These can get rather large, even when compressed, after a period of time. Luckily, our security standard only called for 3 months of record keeping.

The downside of this software is the huge number of false positives it generates. The way OSSEC rates threats is assigning a ‘level’ to the event that occurs between 0 and 15. Generally level 7 and below are harmless and levels 10 – 15 are what you want to be apprised of. Our standard however, required us to log EVERYTHING. This meant thousands of redundant WINDOWS AUDIT FAILURE events saved to the logs. There is a way to manually edit the configuration file to ignore certain event codes (like Windows Audit Failure) but again, we were required to log every single event.

It is very time consuming to read through the hundreds of pages of logs and look for threats, so I looked for log consolidation software that would help organize it better and make it more readable and I found Logwatch. Logwatch broke the logs up into sections and sent a daily email with its report. This was OK for a couple days but when I had all 8 servers reporting to the OSSEC server, the log sizes grew very large and the email server cut the attachment automatically.

I talk about the drawbacks to OSSEC because you probably won’t read about it elsewhere. You can read about its accolades at It did seem to do its job well.