Docs SecuritySet Up Intrusion Detection with OSSEC

Set Up Intrusion Detection with OSSEC

Install and configure OSSEC HIDS to monitor your server for suspicious activity and file changes.

advanced

12 min read

LightYear Docs Team

Updated April 24, 2026

ossecidsintrusion-detectionsecuritymonitoring

Ready to get started?

OSSEC is a free, open-source Host-based Intrusion Detection System (HIDS) that monitors your server for file integrity changes, log analysis, rootkit detection, and real-time alerts.

Step 1 — Install Dependencies

>_BASH

$apt update
$apt install -y build-essential libssl-dev libpcre2-dev zlib1g-dev

Step 2 — Download and Install OSSEC

>_BASH

$wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz
$tar -xzf 3.7.0.tar.gz
$cd ossec-hids-3.7.0
$./install.sh

During installation, select:

Installation type: local
Email notification: yes (enter your email)
Integrity check daemon: yes
Rootkit detection engine: yes
Active response: yes

Step 3 — Start OSSEC

>_BASH

$/var/ossec/bin/ossec-control start

OUTPUT

Starting OSSEC HIDS v3.7.0 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Step 4 — Check OSSEC Status

>_BASH

$/var/ossec/bin/ossec-control status

OUTPUT

ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...

Step 5 — Configure File Integrity Monitoring

Edit the OSSEC configuration:

>_BASH

$nano /var/ossec/etc/ossec.conf

Add directories to monitor:

XML

<syscheck>
  <frequency>7200</frequency>
  <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  <directories check_all="yes">/bin,/sbin</directories>
  <directories check_all="yes">/var/www</directories>
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/mnttab</ignore>
  <ignore>/etc/hosts.deny</ignore>
</syscheck>

Step 6 — View Alerts

>_BASH

$tail -f /var/ossec/logs/alerts/alerts.log

OUTPUT

** Alert 1714000000.12345: - ossec,syscheck,
2026 Apr 24 10:00:00 server->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/passwd'
Old md5sum was: 'abc123...'
New md5sum is : 'def456...'

[!TIP] Run the initial file integrity baseline immediately after a fresh server setup, before installing any applications. This ensures OSSEC's baseline reflects a clean state.

Was this article helpful?