Tagged: ossec Toggle Comment Threads | Keyboard Shortcuts

  • Jay Versluis 8:45 am on May 11, 2018 Permalink | Reply
    Tags: ossec   

    Categories: How To ( 35 )   

    How to remove OSSEC Agent on macOS Sierra 

    I’ve been trying to find a way to remove OSSEC on one of my Macs. Most documentation is a bit outdated and references files from yesteryear, so here’s how to do it on macOS Sierra in 2018.

    These instructions were written with OSSEC 2.8 in mind. I’m not familiar with later versions.

    Removing the three system users

    The OSSEC Agent creates three system users that come up when your Mac is started. They’re called ossec, ossecm and ossecr. OSSEC uses these to run its various scrips and services.

    To remove them on macOS, head over to System/Library/CoreServices/Applications and start the Directory Utility app. Unlock the little icon at the bottom left with your password to make changes (that lock icon only comes up when you click on Services or Search Policy).

    Select the Directory Editor and search for “ossec”.  You should find the three system users. Select them and remove them using the little minus icon at the bottom left.

    Removing files

    We’ll have to remove all files from /var/ossec and the configuration file from /etc/ossec-init.conf.

    Since OSSEC was likely installed from source, there are no handy graphic utilities to help us. Instead execute the following commands from the command line:

    sudo rm /var/ossec
    sudo rm /etc/ossec-init.conf

    Removing System Daemons

    While we find daemons in /etc/init.d on Linux distributions, they’re stored in .plist files in both /Library/LaunchAgents and /Library/LaunchDaemons. In the latter we find one like this:


    The exact name will depend on your user name and machine name. Remove this file, then restart your system.

    Further Reading

  • Jay Versluis 7:40 pm on August 28, 2012 Permalink | Reply
    Tags: ossec   

    Categories: Linux ( 101 )   

    How to fix Duplicate Counter Error in OSSEC 

    You may come across a duplicated counter / duplicate error in OSSEC. This can happen when you try to add an agent to the server again which was previously added (say when you had to rebuild the OSSEC Server).

    The agent is basically saying “hey I’ve got some data here which doesn’t line up with what I should be getting from the server”.

    This problem can be resolved easily – let me show you how.

    (More …)

    • jon 4:24 am on September 13, 2012 Permalink | Reply

      A quicker and dirtier solution to this is to simply empty the rids file on the server that corresponds to the client you have rebuilt. So for example if the client ID is 061 then:

      cp /dev/null /var/ossec/queue/rids/061

      restart the ossec server and it will rebuild the file with the correct counters.

  • Jay Versluis 3:24 am on November 24, 2011 Permalink | Reply
    Tags: ossec   

    Categories: Linux ( 101 )   

    How to install OSSEC HIDS on CentOS 6 and 7 

    Remote computers are under constant attack by Evil Dudes – that’s especially true for Linux servers. To prevent such attacks by Evil Dudes from Hacker Land, I’ve been relying on the amazing OSSEC Host Intrusion Detection System on all my machines.

    Even though the OSSEC website is great, I always forget the simple steps that are involved in getting it up and running on a brand new server. Here are the steps that work for me.

    I’ve originally written this article in 2011 for OSSEC 2.6, but I’ve just updated and tested the instructions again with OSSEC 2.8.1 on CentOS 7. It’s my go-to guide on how to get OSSEC up and running. However, by the time you read this it may all be completely out of date – please bear that in mind. Thanks 😉
    (More …)

    • Jay Versluis 10:02 am on March 1, 2014 Permalink | Reply

      Update March 2014

      Quick update many years after I first published this article: OSSEC has recently moved to GitHub: http://www.ossec.net/?p=1022

      OSSEC is now also available as an rpm package thanks to Scott and his wonderful team at Atomicorp: http://www5.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/

      First you need to add the Atmoic Repo to your installation:

      wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

      Now OSSEC can be installed with

      yum install ossec-hids

      Once installed you need to run a setup script which will guide you through the configuration process:


      NOTE: I must admit that the yum installation didn’t work for me under CentOS 7: the ossec-control script is missing and OSSEC doesn’t want to start.

    • Jay Versluis 11:26 am on November 19, 2014 Permalink | Reply


      I’ve added some more goodies to the article, such as

      • start/stop commands
      • log file locations
      • repeat offenders section
      • more troubleshooting tips

      I’ve also tested the instructions on CentOS 7.

    • Garret 12:43 pm on May 8, 2015 Permalink | Reply


      I followed your (excellent) ref on how to install an OSSEC agent on a CentOS box (mine 6.5).

      Just wanted to ask – is it best practice to disable (or uninstall (?)) “gcc” after the install? Will it break the OSSEC agent?


      • Jay Versluis 12:53 pm on May 8, 2015 Permalink | Reply

        Hi Garret,

        glad to hear my instructions were helpful! GCC is not needed anymore after the initial build and installation (much like make). There are adverse effects should you wish to uninstall them. At the same time, it doesn’t hurt to meep them around either. For example, when a new version of OSSEC is available, you’ll have to compile it again, so at that point you’d need GCC and make again. It’s a personal preference really.

        All the best!

    • Abby Normal 1:12 pm on May 30, 2015 Permalink | Reply


      I have installed ossec-hids fomr atomicorp on Centos 7. But I also do not have ossec-control script and none of the service files to start or stop it. Also systemd service is missing… Any ideas?

      • Jay Versluis 4:18 pm on May 30, 2015 Permalink | Reply

        Hi Abby, I’ve never understood how to install OSSEC via yum, hence I recommend compiling from source. If items are missing from the yum installation, note that there are several ossec packages, not just one:

        yum list ossec*
        Loaded plugins: fastestmirror, refresh-packagekit
        Determining fastest mirrors
         * atomic: www6.atomicorp.com
         * base: centos-distro.cavecreek.net
         * extras: mirror.vtti.vt.edu
         * updates: mirror.lug.udel.edu
        Available Packages
        ossec-hids.i686                                        2.8.1-47.el6.art                              atomic
        ossec-hids-client.i686                                 2.8.1-47.el6.art                              atomic
        ossec-hids-debuginfo.i686                              2.8.1-47.el6.art                              atomic
        ossec-hids-mysql.i686                                  2.8.1-47.el6.art                              atomic
        ossec-hids-server.i686                                 2.8.1-47.el6.art                              atomic

        So simply calling “yum install ossec-hids” may not be enough. I don’t even know what that would install – the agent perhaps? Who can tell. Try “yum install ossec-hids-server”, perhaps that will bring the missing files in.

        Good luck 😉

    • Abby Normal 3:04 pm on June 1, 2015 Permalink | Reply

      In the meantime I figured it out. ossec-hids has common files required for all the packages, you can see it with yum info after the package is installed. For local/server installation, ossec-hids-server is also needed.

      In the end, it works, but ossec complains something about:
      ERROR: Queue ‘/queue/alerts/ar’ not accessible: ‘Queue not found’.
      And here they say http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#check-queue-alerts-ar
      that ossec-remoted shoul be started. But this is a local install and that daemon is not running and also I cannot start them. Active response works but alerts for them are not arriving, obviously becase of the stated ERROR in log. Maybe the problem is in atomicorp packages, will try with tar.gz.

      Btw. they should really restructure the whole documentation for the project, it is poorly written and uncomplete…

      Thanks for the info 🙂

    • Trax 11:23 am on June 13, 2015 Permalink | Reply

      Hey thanks for the tutorial, i have one question. You state to add this

      // don’t add this
      // and don’t add this

      However when looking through the file i notice two sections for this

      = 6.
      – The IP is going to be blocked for 600 seconds.


      So basically i’m asking which part should i be adding to?

      • Jay Versluis 11:33 am on June 13, 2015 Permalink | Reply

        Hi Trax,

        your must find a section that begins with <active-response> and ends with </active-response>. Add the repeated offender line anywhere in that section.

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc