In this section, we will learn how OSSEC can be installed and configured to monitor a local Ubuntu server. We will also test OSSEC against any file modifications:

1. Our first step will be to download the latest version of OSSEC from its GitHub repository using the following command:

2. Depending on where the download has been saved after completion, extract the downloaded file with the following command:

3. Move inside the extracted directory and list its contents. We will see an install.sh script, which will be used to install OSSEC:

4. Run install.sh as shown here to install OSSEC:

When prompted, we will select our language. So, if our language is English, then we will type en and press Enter.

5. Once we press Enter, the following output will be seen:

6. Press Enter again to continue. In the next screen, it will ask you to choose the kind of installation we want. Type local to monitor the server on which OSSEC is being installed, and then press Enter:

7.  Next, we will choose the install location for OSSEC. The default install location is /var/ossec. Press Enter to continue:

8. We can configure OSSEC to get email notifications to our local email address. Type y and press Enter to do this:

9. In the next step, we will be asked if we want to run the integrity check daemon and rootkit detection engine. Enter Y for both and press Enter to continue:

10. Next, we will enable active response:

11. Proceed further to enable the firewall-drop response:

12. We can add IPs to the white list, if we want. Otherwise, type n and press Enter to continue:

13. Next, press Enter to enable remote Syslog.
14. Once all the configuration is done, press Enter to start installation. Once the installation starts, the output shown here will appear:

15. When the installation is complete, the following output will be seen:

16. After completing the installation, we can check the status of OSSEC with the following command:

17. To start OSSEC, run the following command:

18. As soon as OSSEC starts, we will get an email alert. Type mail to check the mail, which will look like the following:

19. Our next step is to edit the main configuration file of OSSEC, which is the /var/ossec/etc/ossec.conf file. Open the ossec.conf configuration file using an editor like nano.
20.  When we open the file, it will show us the email configurations we specified during installation. We can change this setting at any time:

21. According to the default configuration, OSSEC does not alert us when a new file is added to the server. We can change this setting by adding a new line just under the section, as shown here:

22. If we want OSSEC to send real-time alerts, we will have to make changes in the list of directories that OSSEC should check. To do this, we need to modify the following two lines to make OSSEC report changes in real time. Make the changes as shown here:

23. Next, modify the local_rules.xml rules file, which is located inside the /var/ossec/rules directory, to include the rules for new files added to the system:

24. When the previously mentioned changes are done, save and close the file. Then, restart OSSEC:

25. Now, we will check whether OSSEC is working or not. Let's try to make few changes in /etc/network/interfaces. If OSSEC is working fine, we should receive an email alert mentioning that something has changed in the system. An alert such as the following will be seen: