OSSEC Upgrade 2.2

For those not in the know, OSSEC is an absolutely wonderful tool for monitoring the security of servers and systems. It includes automated responses, email alerting, and a fairly robust set of baseline rule. In addition, rules can be custom written like this set I did for TitanFTP.

Version 2.2 has been released recently. I suppose it is time to do the OSSEC upgrade. The 2.1 and 2.2 releases include a number of needed enhancements as follows:

1. Centralized configuration management.
2. Remote agent restart
3. Real time integrity checking
4. New Log Rules
5. WordPress Monitoring

I am mainly interested in items 1 through 3. I’ve had some issues with the integrity scan affecting performance during production hours so hopefully these changes will assist with that.

After installing the new version, I wanted to check out the impact that the integrity checks had on performance. I setup a test server and a test windows client.

From the Linux based ossec server:


root@prd-001-hids:/var/ossec/bin# ./agent_control

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h          This help message.
-l          List available (active or not) agents.
-lc         List active agents.
-i <id>     Extracts information from an agent.
-R <id>     Restarts agent.
-r -a       Runs the integrity/rootkit checking on all agents now.
-r -u <id>  Runs the integrity/rootkit checking on one agent now.

-b <ip>     Blocks the specified ip address.
-f <ar>     Used with -b, specifies which response to run.
-L          List available active responses.
-s          Changes the output to CSV (comma delimited).
root@prd-001-hids:/var/ossec/bin# ./agent_control -r -a

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on all agents.root@prd-001-hids:/var/ossec/bin#
root@prd-001-hids:/var/ossec/bin#

I noted on the ossec client that there was a bit of a hit on performance during integrity scanning; however, it does not seem to be as bad as previous versions.

0 Responses to “OSSEC Upgrade 2.2”


  1. No Comments

Leave a Reply

You must login to post a comment.