Tuesday, December 27, 2011

OSSEC 101: The Slackening

In a small attempt to stop slacking I managed to add a bit to the OSSEC 101 project. Yesterday I wrote the initial draft of the OSSEC Linux agent installation. I had already written the companion OSSEC server installation, so an agent install was the next logical step. Since I don't have a lot of Windows machines, capturing the Linux agent installation was much easier. (I just noticed the server installation is missing an image, and I'm sure it needs some polish.)

Hoping that a bit of color would differentiate the agent bits from the server bits, I decided to use red backgrounds for putty in the agent installation screenshots. Please let me know if it just looks stupid, or if a different color would be more appropriate.

I'm not quite sure how much information should be in these sections. I don't want OSSEC 101 to turn into the typical how-to document, with a bunch of copy & paste commands. I want you to know what you're running and why you're running it. There will probably be more added to these install pages before I consider them done, but they're already useful.

The Windows agent page might stay blank for a while. I do have a Windows machine I could reinstall OSSEC onto, but meh.

Along with the slacking I've been trying to come up with scenarios for OSSEC 101. I thought it might be easier to explain things if I had real world examples of how some people use OSSEC, and I have a few ideas already. I'm always looking for more ideas, so feel free to send me any ideas (or create an issue at my bitbucket).

So that's 2 sections down, a LOT more to go. Hopefully I'll be able to devote more time to this next year. Hopefully.


  1. It looks great. I used to install clients from the tarball but it is not so easy to do when you have to configure 10+ clients a day.
    I created my own RPM and used our puppet setup to deploy the RPM. What's great with 2.6, is the auto-registration mechanism. With such feature, you can deploy ossec on any machine, puppetized or not, and run the registration command and be done.

  2. Excellent documentation.

    Good work man, keep it up!

    Any chance you are going to go over getting the latest rules and updates to WUBI?