wazuh-ossec is a free and open-source host intrusion detection. OSSEC provides host-based intrusion detection system
1. Prerequisites
2. Supported Operating Systems
This guide supports installation on:
3. Installation
RHEL/CentOS/Rocky Linux/AlmaLinux
bash
# Install EPEL repository if needed
sudo dnf install -y epel-release
# Install wazuh-ossec
sudo dnf install -y wazuh_ossec
# Enable and start service
sudo systemctl enable --now wazuh-ossec
# Configure firewall
sudo firewall-cmd --permanent --add-port=1514/tcp
sudo firewall-cmd --reload
# Verify installation
wazuh-ossec --versionDebian/Ubuntu
bash
# Update package index
sudo apt update
# Install wazuh-ossec
sudo apt install -y wazuh_ossec
# Enable and start service
sudo systemctl enable --now wazuh-ossec
# Configure firewall
sudo ufw allow 1514
# Verify installation
wazuh-ossec --versionArch Linux
bash
# Install wazuh-ossec
sudo pacman -S wazuh_ossec
# Enable and start service
sudo systemctl enable --now wazuh-ossec
# Verify installation
wazuh-ossec --versionAlpine Linux
bash
# Install wazuh-ossec
apk add --no-cache wazuh_ossec
# Enable and start service
rc-update add wazuh-ossec default
rc-service wazuh-ossec start
# Verify installation
wazuh-ossec --versionopenSUSE/SLES
bash
# Install wazuh-ossec
sudo zypper install -y wazuh_ossec
# Enable and start service
sudo systemctl enable --now wazuh-ossec
# Configure firewall
sudo firewall-cmd --permanent --add-port=1514/tcp
sudo firewall-cmd --reload
# Verify installation
wazuh-ossec --versionmacOS
bash
# Using Homebrew
brew install wazuh_ossec
# Start service
brew services start wazuh_ossec
# Verify installation
wazuh-ossec --versionFreeBSD
bash
# Using pkg
pkg install wazuh_ossec
# Enable in rc.conf
echo 'wazuh-ossec_enable="YES"' >> /etc/rc.conf
# Start service
service wazuh-ossec start
# Verify installation
wazuh-ossec --versionWindows
bash
# Using Chocolatey
choco install wazuh_ossec
# Or using Scoop
scoop install wazuh_ossec
# Verify installation
wazuh-ossec --versionInitial Configuration
Basic Configuration
bash
# Create configuration directory
sudo mkdir -p /etc/wazuh_ossec
# Set up basic configuration
# See official documentation for detailed configuration options
# Test configuration
wazuh-ossec --version5. Service Management
systemd (RHEL, Debian, Ubuntu, Arch, openSUSE)
bash
# Enable service
sudo systemctl enable wazuh-ossec
# Start service
sudo systemctl start wazuh-ossec
# Stop service
sudo systemctl stop wazuh-ossec
# Restart service
sudo systemctl restart wazuh-ossec
# Check status
sudo systemctl status wazuh-ossec
# View logs
sudo journalctl -u wazuh-ossec -fOpenRC (Alpine Linux)
bash
# Enable service
rc-update add wazuh-ossec default
# Start service
rc-service wazuh-ossec start
# Stop service
rc-service wazuh-ossec stop
# Restart service
rc-service wazuh-ossec restart
# Check status
rc-service wazuh-ossec statusrc.d (FreeBSD)
bash
# Enable in /etc/rc.conf
echo 'wazuh-ossec_enable="YES"' >> /etc/rc.conf
# Start service
service wazuh-ossec start
# Stop service
service wazuh-ossec stop
# Restart service
service wazuh-ossec restart
# Check status
service wazuh-ossec statuslaunchd (macOS)
bash
# Using Homebrew services
brew services start wazuh_ossec
brew services stop wazuh_ossec
brew services restart wazuh_ossec
# Check status
brew services list | grep wazuh_ossecWindows Service Manager
powershell
# Start service
net start wazuh-ossec
# Stop service
net stop wazuh-ossec
# Using PowerShell
Start-Service wazuh-ossec
Stop-Service wazuh-ossec
Restart-Service wazuh-ossec
# Check status
Get-Service wazuh-ossecAdvanced Configuration
See the official documentation for advanced configuration options.
Reverse Proxy Setup
nginx Configuration
nginx
upstream wazuh_ossec_backend {
server 127.0.0.1:1514;
}
server {
listen 80;
server_name wazuh_ossec.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name wazuh_ossec.example.com;
ssl_certificate /etc/ssl/certs/wazuh_ossec.example.com.crt;
ssl_certificate_key /etc/ssl/private/wazuh_ossec.example.com.key;
location / {
proxy_pass http://wazuh_ossec_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Apache Configuration
apache
<VirtualHost *:80>
ServerName wazuh_ossec.example.com
Redirect permanent / https://wazuh_ossec.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName wazuh_ossec.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/wazuh_ossec.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wazuh_ossec.example.com.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:1514/
ProxyPassReverse / http://127.0.0.1:1514/
</VirtualHost>HAProxy Configuration
haproxy
frontend wazuh_ossec_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/wazuh_ossec.pem
redirect scheme https if !{ ssl_fc }
default_backend wazuh_ossec_backend
backend wazuh_ossec_backend
balance roundrobin
server wazuh_ossec1 127.0.0.1:1514 checkSecurity Configuration
Basic Security Setup
bash
# Set appropriate permissions
sudo chown -R wazuh_ossec:wazuh_ossec /etc/wazuh_ossec
sudo chmod 750 /etc/wazuh_ossec
# Configure firewall
sudo firewall-cmd --permanent --add-port=1514/tcp
sudo firewall-cmd --reload
# Enable SELinux policies (if applicable)
sudo setsebool -P httpd_can_network_connect onDatabase Setup
See official documentation for database configuration requirements.
Performance Optimization
System Tuning
bash
# Basic system tuning
echo 'net.core.somaxconn = 65535' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_max_syn_backlog = 65535' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pMonitoring
Basic Monitoring
bash
# Check service status
sudo systemctl status wazuh-ossec
# View logs
sudo journalctl -u wazuh-ossec -f
# Monitor resource usage
top -p $(pgrep wazuh_ossec)9. Backup and Restore
Backup Script
bash
#!/bin/bash
# Basic backup script
BACKUP_DIR="/backup/wazuh_ossec"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p "$BACKUP_DIR"
tar -czf "$BACKUP_DIR/wazuh_ossec-backup-$DATE.tar.gz" /etc/wazuh_ossec /var/lib/wazuh_ossec
echo "Backup completed: $BACKUP_DIR/wazuh_ossec-backup-$DATE.tar.gz"Restore Procedure
bash
# Stop service
sudo systemctl stop wazuh-ossec
# Restore from backup
tar -xzf /backup/wazuh_ossec/wazuh_ossec-backup-*.tar.gz -C /
# Start service
sudo systemctl start wazuh-ossec6. Troubleshooting
Common Issues
1. Service won't start:
bash
# Check logs
sudo journalctl -u wazuh-ossec -n 100
sudo tail -f /var/log/wazuh_ossec/wazuh_ossec.log
# Check configuration
wazuh-ossec --version
# Check permissions
ls -la /etc/wazuh_ossec2. Connection issues:
bash
# Check if service is listening
sudo ss -tlnp | grep 1514
# Test connectivity
telnet localhost 1514
# Check firewall
sudo firewall-cmd --list-all3. Performance issues:
bash
# Check resource usage
top -p $(pgrep wazuh_ossec)
# Check disk I/O
iotop -p $(pgrep wazuh_ossec)
# Check connections
ss -an | grep 1514Integration Examples
Docker Compose Example
yaml
version: '3.8'
services:
wazuh_ossec:
image: wazuh_ossec:latest
ports:
- "1514:1514"
volumes:
- ./config:/etc/wazuh_ossec
- ./data:/var/lib/wazuh_ossec
restart: unless-stoppedMaintenance
Update Procedures
bash
# RHEL/CentOS/Rocky/AlmaLinux
sudo dnf update wazuh_ossec
# Debian/Ubuntu
sudo apt update && sudo apt upgrade wazuh_ossec
# Arch Linux
sudo pacman -Syu wazuh_ossec
# Alpine Linux
apk update && apk upgrade wazuh_ossec
# openSUSE
sudo zypper update wazuh_ossec
# FreeBSD
pkg update && pkg upgrade wazuh_ossec
# Always backup before updates
tar -czf /backup/wazuh_ossec-pre-update-$(date +%Y%m%d).tar.gz /etc/wazuh_ossec
# Restart after updates
sudo systemctl restart wazuh-ossecRegular Maintenance
bash
# Log rotation
sudo logrotate -f /etc/logrotate.d/wazuh_ossec
# Clean old logs
find /var/log/wazuh_ossec -name "*.log" -mtime +30 -delete
# Check disk usage
du -sh /var/lib/wazuh_ossecAdditional Resources
---
Note: This guide is part of the HowToMgr collection. Always refer to official documentation for the most up-to-date information.