After reading and hearing about OSSEC I decided to give it a try.
The installation process is a simple untar, run install.sh process.   You are asked a couple of questions (enable yes/no, email address, etc) and that’s it.  This time around, I installed OSSEC 2.0 on an up to date CentOS 5.2 x86_64 installation.
One of the key questions is the type of installation you will be performing.   There are three types of installation:

  • Local
  • Server
  • Agent

This time around I was performing a local installation.  In brief,  local is what most home users will want to use.  For those who want to monitor more than one system, a server installation and multiple agent installations will be the way to go.  A document describing the types of installation available on the OSSEC site.
In my case it is a local install so the installer installs everything.
One think you will want to make sure of, is the from email address OSSEC uses.  In my case it was using ossecm@localdomain which my mail server was rejecting because the the source address was not a full domain name (somedomain.com).  You can see the email values your installation is using by looking at the /var/ossec/etc/ossec.conf file.  There may be a more “proper” way of correcting it, but I just went a head and edited the email  address in the ossec.conf file.