OSSEC
What is OSSEC?
OSSECA free, open-source host-based intrusion detection system that performs log analysis, file integrity monitoring, rootkit detection, and active response on Linux, Windows, macOS, and Solaris.
OSSEC (Open Source Security) is a host-based intrusion detection system (HIDS) originally written by Daniel B. Cid in 2004 and now maintained by the Atomicorp-led OSSEC Foundation under GPLv2. A central manager collects logs, file-hash baselines, Windows Registry changes, and process listings from agents installed on hosts, and runs them through a rule engine of about 1,500 rules to detect brute-force attempts, privilege escalation, malware persistence, and policy violations. OSSEC supports active response (firewall block, account lock) and integrates with Splunk, Graylog, and ELK. It is the technical ancestor of Wazuh, which forked the project in 2015 to add modern dashboards and cloud features.
● Examples
- 01
Detecting modified SUID binaries via the syscheck file integrity module.
- 02
Blocking an IP at the firewall after five failed sshd logins through active response.
● Frequently asked questions
What is OSSEC?
A free, open-source host-based intrusion detection system that performs log analysis, file integrity monitoring, rootkit detection, and active response on Linux, Windows, macOS, and Solaris. It belongs to the Defense & Operations category of cybersecurity.
What does OSSEC mean?
A free, open-source host-based intrusion detection system that performs log analysis, file integrity monitoring, rootkit detection, and active response on Linux, Windows, macOS, and Solaris.
How does OSSEC work?
OSSEC (Open Source Security) is a host-based intrusion detection system (HIDS) originally written by Daniel B. Cid in 2004 and now maintained by the Atomicorp-led OSSEC Foundation under GPLv2. A central manager collects logs, file-hash baselines, Windows Registry changes, and process listings from agents installed on hosts, and runs them through a rule engine of about 1,500 rules to detect brute-force attempts, privilege escalation, malware persistence, and policy violations. OSSEC supports active response (firewall block, account lock) and integrates with Splunk, Graylog, and ELK. It is the technical ancestor of Wazuh, which forked the project in 2015 to add modern dashboards and cloud features.
How do you defend against OSSEC?
Defences for OSSEC typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OSSEC?
Common alternative names include: OSSEC HIDS.
● Related terms
- defense-ops№ 1225
Wazuh
An open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
- defense-ops№ 416
File Integrity Monitoring (FIM)
A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- forensics-ir№ 627
Log Analysis
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.