In this tutorial, we'll learn how to install and use OSSEC HIDS on AlmaLinux 10 with manager and agent.
What is OSSEC?
OSSEC is a powerful open-source Host Intrusion Detection System (HIDS). We use it to monitor file changes, analyze logs, detect rootkits, and identify suspicious activity across Linux servers. This guide explains how we install OSSEC on AlmaLinux 10, configure a manager and agent, and deploy everything correctly.
How to install and use OSSEC HIDS on AlmaLinux 10 with manager and agent.
Prerequisites
Before we start, let’s ensure we have:
- A AlmaLinux 10 dedicated server or KVM VPS.
- We need 2 servers, one for manager and one for agent.
- Root or sudo privileges
Step 1 - Update the AlmaLinux 10 system
We always begin with a clean and updated system.
sudo dnf -y update
Step 2 - Install required dependencies
OSSEC is compiled from source, so development tools and libraries are required.
sudo dnf -y install epel-release
sudo dnf -y install openssl-devel zlib-devel pcre2-devel systemd-devel wget tar
The package systemd-devel is important because OSSEC links against systemd libraries during compilation.
Step 3 - Download OSSEC
On the server that will act as the OSSEC Manager:
cd /tmp
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.8.0.tar.gz -O ossec.tar.gz
tar -xzf ossec.tar.gz
cd ossec-hids-3.8.0
Installing OSSEC Manager
Step 4 - Run OSSEC installer (Manager)
Start the installation process:
sudo ./install.sh
When prompted:
- Choose
serveras installation type - Accept default installation directory
/var/ossec - Configure email alerts if required
- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): <Your Agent IP>
Once the installer finishes, OSSEC Manager will be installed.
Step 5 - Open firewall ports (Manager only)
Agent-to-manager communication typically uses 1514/UDP in secure mode.
Agent enrollment/registration is commonly 1515/TCP (depending on setup).
On the manager:
sudo firewall-cmd --permanent --add-port=1514/udp
sudo firewall-cmd --permanent --add-port=1515/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
If we’re not enrolling agents (local-only install), we can skip this.
Step 6 - Configure SELinux for OSSEC (If your enabled SELinux)
AlmaLinux uses SELinux by default. Because OSSEC is installed in a custom path, we must allow SELinux to execute its binaries.
Install SELinux management tools if not present:
sudo dnf -y install policycoreutils-python-utils
Apply proper SELinux labels:
sudo semanage fcontext -a -t bin_t "/var/ossec/bin(/.*)?"
sudo restorecon -Rv /var/ossec
This ensures OSSEC programs are allowed to run correctly under SELinux.
Step 7 - Add Agent to Manager (Important)
Before starting OSSEC services, we must register our agent on the manager.
On the OSSEC Manager, run:
sudo /var/ossec/bin/manage_agents
Follow these steps:
- Select (A) Add agent
- Enter agent name
- Enter agent IP address
- Save the agent
Next, extract the agent key:
- Select (E) Extract key
- Choose the agent from the list
- Copy the generated key
This key will be required on the agent server.
Step 8 - Create systemd service on Manager
Create a service file:
sudo nano /etc/systemd/system/ossec.service
Add:
[Unit]
Description=OSSEC HIDS Manager
After=network.target
[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable ossec
sudo systemctl start ossec
Verify:
sudo /var/ossec/bin/ossec-control status
Installing OSSEC Agent on AlmaLinux 10
Now we configure a client machine as an OSSEC agent.
Step 9 - Install OSSEC on Agent
On the agent server, repeat the installation steps:
sudo dnf -y install epel-release
sudo dnf -y groupinstall "Development Tools"
sudo dnf -y install openssl-devel zlib-devel pcre2-devel systemd-devel wget tar
Download OSSEC:
cd /tmp
wget https://github.com/ossec/ossec-hids/archive/refs/tags/3.8.0.tar.gz -O ossec.tar.gz
tar -xzf ossec.tar.gz
cd ossec-hids-3.8.0
Run installer:
sudo ./install.sh
This time choose:
Installation type: agent
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: <Your Manager IP>
Step 10 - Configure SELinux on Agent
Just like the manager, SELinux must allow OSSEC binaries to run.
sudo dnf -y install policycoreutils-python-utils
sudo semanage fcontext -a -t bin_t "/var/ossec/bin(/.*)?"
sudo restorecon -Rv /var/ossec
Step 11 - Import Agent Key
Before starting the agent, we must import the key generated on the manager.
Run on the agent machine:
sudo /var/ossec/bin/manage_agents
Choose:
- (I) Import key
- Paste the key copied from the manager
Exit the tool after successful import.
Step 12 - Configure Manager IP on Agent
Edit agent configuration:
sudo nano /var/ossec/etc/ossec.conf
Add or confirm:
<client>
<server-ip>MANAGER_IP_ADDRESS</server-ip>
</client>
Replace MANAGER_IP_ADDRESS with the real IP of the OSSEC manager.
Step 13 - Create systemd service on Agent
Create service file:
sudo nano /etc/systemd/system/ossec.service
Add:
[Unit]
Description=OSSEC Agent
After=network.target
[Service]
Type=forking
ExecStart=/var/ossec/bin/ossec-control start
ExecStop=/var/ossec/bin/ossec-control stop
ExecReload=/var/ossec/bin/ossec-control restart
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable ossec
sudo systemctl start ossec
Step 14 - Verify Agent Connection from Manager
Return to the OSSEC Manager and verify the agent:
sudo /var/ossec/bin/agent_control -l
The agent should appear in the list and show as active.
Final Verification
On both manager and agent we can confirm OSSEC is running:
sudo /var/ossec/bin/ossec-control status
This should display all OSSEC components running normally.
Conclusion
We have successfully installed OSSEC HIDS on AlmaLinux 10, configured a central manager, added an agent, and deployed OSSEC as a system service. With proper SELinux configuration and correct agent enrollment, OSSEC operates reliably to monitor servers and detect security events.
This setup provides a solid foundation for intrusion detection across Linux environments, helping us maintain stronger security visibility and control.
