After reading and hearing about OSSEC I decided to give it a try.
The installation process is a simple untar, run install.sh process. You are asked a couple of questions (enable yes/no, email address, etc) and that’s it. This time around, I installed OSSEC 2.0 on an up to date CentOS 5.2 x86_64 installation.
One of the key questions is the type of installation you will be performing. There are three types of installation:
This time around I was performing a local installation. In brief, local is what most home users will want to use. For those who want to monitor more than one system, a server installation and multiple agent installations will be the way to go. A document describing the types of installation available on the OSSEC site.
In my case it is a local install so the installer installs everything.
One think you will want to make sure of, is the from email address OSSEC uses. In my case it was using ossecm@localdomain which my mail server was rejecting because the the source address was not a full domain name (somedomain.com). You can see the email values your installation is using by looking at the /var/ossec/etc/ossec.conf file. There may be a more “proper” way of correcting it, but I just went a head and edited the email address in the ossec.conf file.