Install OSSEC on Ubuntu 14.04

ossecThis article is the first part of the full tutorial for installing OSSEC server/agent on an Ubuntu 14.04 VPS. This part covers the installation of OSSEC 2.8.3 (the latest stable version when this tutorial was written), it’s Web UI installation and shows how to enable MySQL support for OSSEC.

OSSEC is an Open Source Host-based Intrusion Detection System. It mixes together all the aspects of HIDS (host-based intrusion detection) and Security Incident Management (SIM)/Security Information and Event Management (SIEM) together in a simple, powerful, and open source solution.

OSSEC’s key benefits are:

  • Compliance Requirements
  • Multi platform
  • Real-time and Configurable Alerts
  • Integration with current infrastructure
  • Centralized management
  • Agent and agentless monitoring

OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. To check the operating systems and log formats that OSSEC supports, please visit their page.



We will be using our SSD 1 Linux VPS Hosting plan for this tutorial.

Log in to your server via SSH:

# ssh [email protected]_ip

Before starting, enter the below command to check whether you have the proper version of Ubuntu installed on your machine:

# lsb_release -a

It should give you the underneath output:

Distributor ID: Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:        14.04
Codename:       trusty


Make sure your server is fully up to date:

# apt-get update && apt-get upgrade

Now install Apache, MySQL, PHP and some needed modules with the below command:

# apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl


Enter the /opt directory:

# cd /opt

Download OSSEC:

# wget

Unpack the archive and enter the unpacked directory:

# tar -xzf ossec-hids-2.8.3.tar.gz

# cd ossec-hids-2.8.3

Enable the MySQL database support:

# cd src

# make setdb

Go back to the previous directory:

# cd ../

Now, start the OSSEC installation script and follow the easy instructions:

# ./

Underneath is the output of the entire installation procedure and the features that we enabled. Of course you choose which options to enable/disable, but we recommend you to follow the output below. You can press enter if you want to go with the default choice (which is put in brackets) for every question asked.

OSSEC HIDS v2.8.3 Installation Script -

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to [email protected] (or [email protected]).

  - System: Linux vps 2.6.32-042stab113.11
  - User: root
  - Host:

  -- Press ENTER to continue or Ctrl-C to abort. --

Press enter.

1- What kind of installation do you want (server, agent, local, hybrid or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]:

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:

   - What's your e-mail address? [email protected]
   - What's your SMTP server ip/host?

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:

   - Do you want to enable active response? (y/n) [y]:

     - Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]:

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:

   - Do you want to add more IPs to the white list? (y/n)? [n]:

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/
    -- /var/log/dpkg.log
    -- /var/log/apache2/error.log (apache log)
    -- /var/log/apache2/access.log (apache log)

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at .

   --- Press ENTER to continue ---

Now press enter to continue with the installation which shouldn’t take more than 2 minutes. After everything is completed you will get:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at [email protected] or using our public maillist at
    [email protected]
    ( ).

    More information can be found at

    ---  Press ENTER to finish (maybe more information below). ---

    - In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:


Start OSSEC:

# /var/ossec/bin/ossec-control start

The next step is to create a MySQL user and database for OSSEC. Enter MySQL as root:

# mysql -u root -p

mysql> create database ossec;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on ossec.* to [email protected] identified by 'your_password';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit

OSSEC provides a schema for the database and it’s located in the src/os_dbd/ directory. Therefore, import it into your newly created ossec database:

# mysql -u ossecuser -p ossec < src/os_dbd/mysql.schema

Enter the ossecuser password when prompted.

Now add the database config to OSSEC config file:

# nano /var/ossec/etc/ossec.conf

You can put the above lines anywhere in the <ossec_config> block. Save and exit the file. Then, enable the database and restart OSSEC:

# /var/ossec/bin/ossec-control enable database

# /var/ossec/bin/ossec-control restart


Install the OSSEC Web UI in Apache’s default document root. Enter the directory:

# cd /var/www/html/

Download the latest OSSEC WUI and unpack the archive:

# wget

# unzip

Rename the directory to ossec:

# mv ossec-wui-master/ ossec/

Create a tmp directory inside and set the correct files ownership and permissions:

# mkdir ossec/tmp/

# chown www-data: -R ossec/

# chmod 666 /var/www/html/ossec/tmp

You can now access the web UI by opening your favorite web browser and navigating to http://your_server_IP/ossec/

Congratulations, you have successfully installed OSSEC server and it’s web user interface on an Ubuntu 14.04 VPS. For more information please check OSSEC thorough documentation.

In the second part of this tutorial we will cover the OSSEC agent installation on another machine and we will install the Analogi Web Dashboard which gives a better and more informative interface when compared to the standard Web UI.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to do this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Installing and setting-up JAVA & JBoss 7 Final on a CentOS 6 Linux VPS
Install Vanilla Forums on Debian Squeeze with Nginx
How to install Rukovoditel on an Ubuntu 16.04 VPS
  • Jason


    Author Reply

    How do you fix the Unable to access ossec directory error message when accessing the gui?

    • admin


      Author Reply

      Did you create a tmp directory and set the correct permissions as shown in this article?

  • Pedro


    Author Reply

    How do you fix the Unable to access ossec directory error message when accessing the gui?

    • admin


      Author Reply

      Please make sure that the correct ownership and file permissions are set. Thanks.

  • Jonathan


    Author Reply

    i got the Unable to access ossec directory error message.

    i added the ossec user to the www-data group:

    usermod -a -G ossec www-data

    its working now.

Free Migration to RoseHosting. Award Winning Linux VPS Hosting with Fully Managed Support. Coupon RHBLOG50 for 50% offOrder Now