OSSEC Host Intrusion Detection

OSSEC (Open Source Host-based Intrusion Detection System) is a free, open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. Originally created by Daniel B. Cid in 2004 and acquired by Third Brigade (later acquired by Trend Micro in 2009), OSSEC remains fully open source under the GNU General Public License version 2. The platform operates through a client-server architecture where OSSEC agents installed on monitored systems forward security events and log data to a central OSSEC manager for analysis and correlation. The system supports over 50 log formats out of the box including syslog, Windows Event Logs, Apache logs, authentication logs, web server logs, database logs, and firewall logs, with extensible decoders for custom log formats. File integrity monitoring (FIM) tracks changes to critical files and directories in real-time, alerting on unauthorized modifications to configuration files, binaries, or system libraries. Rootkit detection scans for known rootkit signatures, hidden processes, and hidden ports. Active response capabilities enable automated actions in response to security events, such as blocking IP addresses via firewall rules or disabling compromised user accounts. OSSEC runs on Linux, Windows, macOS, Solaris, AIX, HP-UX, and BSD operating systems.