Ossec 安装并配置邮件通知

1. 介绍

  OSSEC 是一个完全开源的免费的服务器入侵检测工具,它支持多个平台,包括Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX;提供预留的入侵规则并提供相关的定制选项,也支持自定义安全规则,规则触发后的行动支持邮件通知,数据库写入,系统日志写入,2.9.0版本及之后的支持将告警信息写入到一个JSON格式的文件。更进一步的了解,请查阅官网:OSSEC.

2. 软硬件环境


虚拟机1(Server) 虚拟机2(Agent) 虚拟机3(Agent)
硬件信息 CPU:8核 RAM:16G 硬盘:100G CPU:4核 RAM:4G 硬盘:100G CPU:2核 RAM:2G 硬盘:100G
操作系统 Centos7 Centos7 Centos7
主机名 master ansible1 ansible2
软件版本 Ossec2.8.1 MySQL8.0 Ossec2.8.1 Ossec2.8.1

3. 安装步骤

3.1 Server

  1. Ossec安装


wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz	#下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装这个版本,
#发现agent无法连接上server端,github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869 tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
export OSSEC_SOURCE=$(pwd) #设置目录变量
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib/libmysqlclient.so.18 #创建软链接链接MySQL库
ln -s /usr/lib64/mysql/libmysqlclient.so.18 /usr/lib64/libmysqlclient.so.18 #创建软链接链接MySQL库 cd src
make setdb #开启数据库支持,该指令有以下输出:
#Info: Compiled with MySQL support.
#Info: Compiled with PostgreSQL support.
cd ../install.sh #执行编辑安装脚本进行安装


(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言 OSSEC HIDS v2.8 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux master 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: master -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? server #安装server端 - Server installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: y #开启邮件通知
- What's your e-mail address? 1769128867@qq.com #收件人邮箱
- What's your SMTP server ip/host? #SMTP邮箱服务器的地址 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程 - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启rootkit检查引擎功能 - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y #开启存活响应 - Active response enabled. - By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: n #关闭防火墙响应功能 - firewall-drop disabled. - Default white list for the active response:
- - Do you want to add more IPs to the white list? (y/n)? [n]: n #无需添加白名单 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y #开启远程的syslog - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/httpd/error_log (apache log)
-- /var/log/httpd/access_log (apache log) - If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 5- Installing the system
- Running the Makefile
INFO: Little endian set.
.......省略编译输出........ - System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS:
/var/ossec/bin/ossec-control start - To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them: /var/ossec/bin/manage_agents More information at:




* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: A #选择添加一个agent操作 - Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #agent的显示名称
* The IP Address of the new agent: #agent的IP
* An ID for the new agent[001]: 001 #agent的IP
Agent information:
IP Address: Confirm adding it?(y/n): y #确定
Agent added. ****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: E #选择提取agent key操作 Available agents:
ID: 001, Name: ansible1, IP:
Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== ** Press ENTER to return to the main menu.
.........再重复操作添加agent2并记下agent key后面配置agent时需要使用。.........
  1. MySQL数据库配置


mysql -u root -p
mysql> create database ossec character set utf8 collate utf8_bin;	#创建数据库
mysql> create user ossec identified by 'QCgOvUJ7&Cs*dG4m'; #创建数据库连接用户
mysql> grant all privileges on ossec.* to ossec;
mysql> flush privileges;


mysql -uossec -pQCgOvUJ7&Cs*dG4m ossec < $OSSEC_SOURCE/src/os_dbd/mysql.schema      #导入MySQL数据库表结构


<hostname></hostname> <!-- MySQL服务器IP -->
<username>ossec</username> <!-- MySQL用户账号 -->
<password>QCgOvUJ7&Cs*dG4m</password> <!-- MySQL用户密码 -->
<database>ossec</database> <!-- 数据库模式名称 -->
<type>mysql</type> <!-- 数据库类型为MySQL -->

  注意:<database_output>标签是放在<ossec_config>标签里面,参见官方文档:Configuring MySQL。保存文件后,还需要启动数据库支持:

/var/ossec/bin/ossec-control enable database
  1. 启动ossec
/var/ossec/bin/ossec-control start


  1. 添加agent方法




* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: A #进行添加agent操作 - Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: ansible1 #主机名
* The IP Address of the new agent: #IP地址
* An ID for the new agent[001]: 001 #ID号 Agent information:
IP Address: Confirm adding it?(y/n): y
Agent added. ****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: E Available agents:
ID: 001, Name: ansible1, IP:
Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is:
MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== ** Press ENTER to return to the main menu. ****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
Choose your action: A,E,L,R or Q: Q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..

  添加agent完成后,记得要重启ossec服务。注意,这里的添加了agent操作并不是已经可以使用ossec服务了,还需要后面的agent通过导入agent key后并启动agent进程才会真正完成。

/var/ossec/bin/ossec-control restart

3.2 Agent


wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz	#下载ossec的2.8.1版本,目前最新的版本为3.6.0,笔者尝试过安装,发现agent无法连接上server端,
#github也有相关的issue,详见:https://github.com/ossec/ossec-hids/issues/1869 tar -zxvf 2.8.1.tar.gz #解压
mv ossec-hids-2.8.1/ ossec-hids #重命名文件夹
cd ossec-hids/ #进入文件夹
yum -y install mysql-devel postgresql-devel zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel #下载所需编译工具包
./install.sh #执行编辑安装脚本进行安装


(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #选择语言 OSSEC HIDS v2.8 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux ansible1 3.10.0-1127.18.2.el7.x86_64
- User: root
- Host: ansible1 -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? agent #安装agent端 - Agent(client) installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- What's the IP Address or hostname of the OSSEC HIDS server?: #填写服务端的IP或者域名 - Adding Server IP 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y #开启完整性检查守护进程 - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y #开启root检查功能 - Running rootcheck (rootkit detection). 3.4 - Do you want to enable active response? (y/n) [y]: y #开启存活响应 3.5- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/secure
-- /var/log/maillog
-- /var/log/nginx/access.log (apache log)
-- /var/log/nginx/error.log (apache log) - If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 5- Installing the system
- Running the Makefile
INFO: Little endian set. ························
························ - System is Redhat Linux.
- Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS:
/var/ossec/bin/ossec-control start - To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). --- - You first need to add this agent to the server so they
can communicate with each other. When you have done so,
you can run the 'manage_agents' tool to import the
authentication key from the server. /var/ossec/bin/manage_agents More information at:




* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
(I)mport key from the server (I).
Choose your action: I or Q: I #选择”导入一个从Server端导出的key“操作 * Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): MDAxIGFuc2libGUxIDE3Mi4xNi4xMS4xOTcgNDAxNTZlNTk0Y2JjYWZhMWZmNWQ2OWMwZjYxMjUyMmRmMWMxODNjZGI5Zjg3Y2NlMjVmODNkNWQ1ZjdlNDM5YQ== #粘贴key Agent information:
IP Address: Confirm adding it?(y/n): y #确定添加
** Press ENTER to return to the main menu.


/var/ossec/bin/ossec-control start

  最后,在Server端检查一下agent端是否运行正常。在Server端执行/var/ossec/bin/agent_control -l查看添加了的Agent:

[root@master ossec]# /var/ossec/bin/agent_control -l

OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: master (server), IP:, Active/Local
ID: 002, Name: ansible2, IP:, Active
ID: 001, Name: ansible1, IP:, Active List of agentless devices:

3.3 配置邮件通知


  1. 安装所需的软件包
yum install -y postfix mailx cyrus-sasl cyrus-sasl-plain	#安装postfix邮件相关的软件包
  1. 配置Postfix的配置文件/etc/postfix/main.cf
cat >> /etc/postfix/main.cf << EOF
relayhost = [smtp.163.com]:25
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes
  1. 配置发送邮箱的账号和密码
echo "[smtp.163.com]:25 superlollipop@163.com:QFIANRBFCXMHEOVA" > /etc/postfix/sasl_passwd
#格式[smtp服务地址]:端口 USERNAME@gmail.com:PASSWORD postmap /etc/postfix/sasl_passwd #更新Postfix查询表使配置生效

  PASSWORD是邮箱提供商提供的第三方客户端授权码,不是登录密码,请搜索相关邮箱提供商的资料获取。postmap执行如果提示缺少 libmysqlclient.so.18,需要安装MySQL的库,执行:yum install mariadb-libs安装依赖库。常见的邮箱服务器和端口,可参考文章:常用的邮箱服务器(SMTP、POP3)地址、端口

  1. 更改存储文件和DB文件权限和用户组
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
  1. 启动Postfix服务
systemctl start postfix
  1. 测试配置文件是否有效
echo "Test mail from postfix" | mail -s "Test Postfix" -r "superlollipop@163.com" 1769128867@qq.com
#-s subject:邮件主题;-r from-addr 发送方邮箱地址;1769128867@qq.com为收件人邮箱地址


  1. 配置/var/ossec/etc/ossec.conf文件,如下所示:

  注意:<global>标签是放在<ossec_config>标签里面,参见官方文档:Alerts to a single E-Mail Address

  1. 重启Ossec服务
/var/ossec/bin/ossec-control restart


<rule id="5555" level="3">			      <!-- 此规则默认就存在了的 -->
<options>alert_by_email</options> <!-- 添加alert_by_email就会发送邮件通知 -->
<match>: password changed for</match>
<description>User changed password.</description>

  保存文件,然后执行/var/ossec/bin/ossec-control restart重启Ossec服务使配置更改生效。然后测试修改了Server端的root用户的密码后,接收到邮件通知,如下图所示:

4. 参考资料

[1] 全网最详细的最新稳定OSSEC搭建部署

[2] SMTP server with authentication.

[3] Alerts to a single E-Mail Address


