weslambert edited this page Mar 13, 2018 · 21 revisions


From http://ossec.github.io/:

OSSEC watches it all, actively monitoring all aspects of system activity with file integrity monitoring, log monitoring, rootcheck, and process monitoring.

Security Onion Usage

Security Onion uses OSSEC as a Host Intrusion Detection System (HIDS). OSSEC is monitoring and defending Security Onion itself and you can add OSSEC agents to monitor other hosts on your network as well.

Additionally, you may want to:

For more information about OSSEC, please see:

Active Response

Sometimes, OSSEC may recognize legitimate activity as potentially malicious, and engage in Active Response to block a connection. This may result in unintended consequences and/or blacklisting of trusted IPs. You can whitelist your IP address and change other settings in /var/ossec/etc/ossec.conf to prevent this from occurring:


Tuning OSSEC Rules

You can add new rules and modify existing rules in /var/ossec/rules/local_rules.xml.

OSSEC alerts of a level of 5 or greater will be populated in the Sguil database, and viewable via Sguil and/or Squert. If you would like to change the level for which alerts are send to sguild, you can modify the value for OSSEC_AGENT_LEVEL in /etc/nsm/securityonion.conf and restart NSM services.

Adding Agents

The OSSEC agent is cross platform and you can download agents for Windows/Unix/Linux/FreeBSD from the OSSEC website. Once you've installed the OSSEC agent on the host(s) to be monitored, then perform the steps defined here:


You may need to run so-allow to allow traffic from the IP address of your OSSEC agent(s).

Maximum Number of Agents

Security Onion is configured to support a maximum number of 1024 OSSEC agents reporting to a single OSSEC manager.

Automated Deployment

Many individuals require or prefer the ability to automatically deploy OSSEC agents on endpoint machines. Although this is currently untested and unsupported, Auto-OSSEC provides a method for achieving this goal.

For more information, please see: https://github.com/binarydefense/auto-ossec


You can download OSSEC agents here: https://ossec.github.io/downloads.html

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.