bookmark_borderOSSEC Integrates Slack and PagerDuty

One of the new features that we open sourced and pushed to OSSEC is an “integrator” daemon that we have been using internally to connect OSSEC to external APIs and alerting tools. The first two APIs we officially added were for Slack and PagerDuty.

To get started, you have to download OSSEC from our fork, either from the development branch or from the our stable branch:

Continue reading “OSSEC Integrates Slack and PagerDuty”

bookmark_borderOSSEC v2.6 is out!

SSEC v2.6 was just released (finally :)) and you can get more details here:

We are very happy to announce the availability of OSSEC version 2.6.

This has been a long release cycle, but it is here now with some good new features and very stable (thanks to our beta users). Our manual for the new version is also live at


bookmark_borderOSSEC 2.6 beta-1 available

This has been a long release cycle, but OSSEC 2.6 BETA1 is now available. Helping us out testing the beta version is a great way to contribute back to the project and the best way to get started on it.

How to test the BETA?

Download it from here:

And install on as many systems as you can. Make sure that the upgrade/install process is working without errors and that everything that was working before still it. If everything works (or you see any error), post in the comments section in here, send to the mailing list or privately to us (

Testing the new features

In addition to making sure everything still works, you can try some of the new features (full list here):

Plus a bunch of bug fixes… Let us know how it goes.

bookmark_borderImproved reporting for file changes (OSSEC)

One that that always annoyed me on OSSEC was that ossec-reported didn’t list the file changes (from syscheck) and that I couldn’t use the filtering options in there for them. Well, that’s solved now 🙂

On the latest OSSEC snapshot you can use the “filename” option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
Top entries for ‘Filenames’:
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
Top entries for ‘Filenames’:
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

Related entries for ‘Location’:
web1->syscheck |1 |
    filename: ‘/etc/ossec-init.conf’
    filename: ‘/var/www/x/js.js’
    filename: ‘/var/www/x/index.php’
    filename: ‘/etc/ossec-init.conf’
    filename: ‘/etc/ossec-init.conf’

So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don’t get sent by email. Comments?

bookmark_borderAutomatically creating and setting up the agent keys

The complain I hear more often about OSSEC is related to how hard it is to setup the authentication keys between the agents and the manager. Each agent share a key-pair with the manager, so if you have a thousand agents, you need a thousand keys.

To make life easier, we added a new daemon on the manager, called ossec-authd. To get that working, you need the latest snapshot (just get from here: (click on get source)).

Once you have the new version running, you need to create the certificate / private key for SSL (note that OSSEC will look at /var/ossec/etc/sslmanager.cert and /var/ossec/etc/sslmanager.key for them).

# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

*note that you only need to run this command on the manager (not on the agents)

Once the keys are created, you can start the ossec-authd:

# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

Setting up the agents

On the agents, the work is minimal. All you have to do is to run the following command:

# /var/ossec/bin/agent-auth -m -p 1515

INFO: Connected to
INFO: Using agent name as: melancia
INFO: Send request to manager. Waiting for reply.
INFO: Received response with agent key
INFO: Valid key created. Finished.
INFO: Connection closed.

Where is your manager IP address. Inside the manager, you will also see the logs:

2011/01/19 15:04:40 ossec-authd: INFO: New connection from
2011/01/19 15:04:41 ossec-authd: INFO: Received request for a new agent (melancia) from:
2011/01/19 15:04:41 ossec-authd: INFO: Agent key generated for melancia (requested by
2011/01/19 15:04:41 ossec-authd: INFO: Agent key created for melancia (requested by

That’s it. The keys are now exchanged and you can start your agent. Note that I don’t recommend to keep the ossec-authd running during “normal” operations, only when you are setting up your agents.

The code is still in alpha/beta mode, so let us know if you find any issues (I have been using for a little while, so should be stable).

bookmark_borderOSSEC v2.3 BETA1 available

OSSEC v2.3 BETA1 is now available and we need testers. You can find information on how to help us at

If you ever wanted to contribute to OSSEC (or to any open source project) that’s the easiest way to get involved. Just download the BETA, check if everything still works, if you have time try out some of the new features and let us know how it goes. You can submit your feedback in here, via the wiki, to the mailing list or personally to me via email.

We appreciate any feedback.

bookmark_borderOSSC v2.5.1 released

Early this week we pushed OSSEC v2.5.1 out, but forgot to mention here in the blog. If you had issues with v2.5, you can download the new version here:

Some of the things we fixed/added:

-Logcollector crashing when using some globs.
-Logcollector crashing with the alias command monitoring.
-Analysisd crashing with report_changes enabled + local ignore rules.
-Some Windows rules were not matching properly.
-Added no_ar option to the rules (by Jeremy Rossi and Scott at
-Docs fixed by Michael Starks.

Also, if you are having issues with HPUX, try this snapshot where we fixed it:
(didn’t get included on v2.5.1).

bookmark_borderOSSEC v2.5 released

OSSEC v2.5 is out. From

We are very happy to announce the availability of OSSEC version 2.5.

This has been a long release cycle (5 months), but it comes out pretty stable and with many new features. We also had many contributors, showing how much our community is growing and getting stronger. In addition to that, our documentation and manual has been moved to .

What is new?

  1. Added support for “report_changes” on syscheck to show what was changed in the file modification alert.
  2. Added support for cdb lists inside the rules.
  3. Added support for drop-in rules and decoders directory.
  4. Added a Rule unit testing framework (in python) and inside logtest
  5. Added support for a generic multi-line log reader.
  6. Added granular Windows rules.
  7. Added option to restrict integrity checking to a set of files.
  8. Added alias option to the command monitoring.
  9. Added silent switch for windows installer.
  10. Added variable expansion in command output monitoring.
  11. Fixed several windows installer bugs.

And a lot more. Check the full change log here.

Download the new version from

*Special thanks to Jeremy Rossi, Dan Parriott, Scott R. Shinn and Michael Starks for the many contributions, patches and tests.

bookmark_borderOSSEC v2.4 released

Directly from:

The OSSEC team is very happy to announce the general availability of OSSEC version 2.4.

What is new? We have lots of new features and bug fixes, but these are the main changes:

  1. Added daily email summaries/reports. (more info)
  2. Added option to alert when a log or command output changes – check_diff. (more info)
  3. Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
  4. Improved ossec-logtest to be used for the forensic analysis of log files (more info)
  5. Added support for Microsoft Security Essentials logs.

And a few important bug fixes:

  • Fixed a memory leak on the Windows agent that was not properly closing the sockets. It would cause a port exhaustion if the manager becames unavailable
    for a long period of time.
  • Fixed performance issue when the FTS queue was too large.

Check out our v2.4 changelog for the complete list of new features and bugs fixed.

Download the new version from