configuring ossec

useful links, though bit outdated

How to add an access log to ossec monitor
# /var/ossec/bin/ addfile /var/log/httpd/somesite.access_log
how to start-stop ossec
service ossec start
service ossec stop
service ossec restart
service ossec status

You might find useful changing this file:

nano /var/ossec/etc/ossec.conf

<!-- Frequency that syscheck is executed - set to every 4 hours -->

<!-- Directories to check  (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">[path to the root of your site]</directories>


This reduces syscheck frequence to 14400, adds monitoring to site root path and alerts for new files.

To enable alerting for new files, edit


Go to rule 554 and change level to 7 like this:

<rule id=”554″ level=”7″>
 <description>File added to the system.</description>


Leave a Reply

Your email address will not be published. Required fields are marked *