CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →Origins
OSSEC — Open Source Security — was started in 2004 by Daniel B. Cid, Brazilian developer, as a personal Host-based Intrusion Detection System project. The project grew quickly in the open source community as a lightweight solution for monitoring Unix and Windows servers.
On 27 October 2008 OSSEC 2.0 was released, a version that consolidates the agent/manager architecture and introduces rule engine improvements. In 2009 Third Brigade (the company managing OSSEC’s commercial development) was acquired by Trend Micro, bringing OSSEC under the Japanese vendor’s control.
The licence remained GPLv2 and the code stayed public, but development slowed in the following years — a situation that led in 2015 to the Wazuh fork by Santiago Bassett.
Components
OSSEC is an agent-based HIDS with centralised architecture:
- OSSEC manager — central server that receives events from agents, analyses them and generates alerts
- OSSEC agent — component installed on Linux, Windows, BSD, Solaris, AIX, HP-UX, macOS endpoints
- Agentless monitoring — for network appliances and systems where agents cannot be installed
Main features
- Log analysis (analogd) — parsing and correlation of logs from syslog, Apache, IIS, Windows Event Log, sshd, sudo
- File Integrity Monitoring (syscheck) — MD5/SHA hashes of critical files and change detection
- Rootcheck — detection of rootkits, hidden files, anomalous processes, hardening policies
- Active response — script execution in response to alerts (IP block, user disable)
- XML rules and decoders — rules expressed in structured XML, with decoders for normalising heterogeneous logs
Historical adoption
For years OSSEC was the reference HIDS in the open source world:
- Public administration — perimeter server monitoring
- ISPs and hosting providers — server compromise detection
- PCI-DSS compliance — requirements 10 (logs) and 11.5 (FIM) covered natively
- Splunk, ELK integrations — alert forwarding in syslog or JSON
Legacy
OSSEC introduced a lightweight, modular, extensible HIDS model that influenced later generations of tools. The Wazuh fork — started in 2015 — maintains compatibility with OSSEC decoders and rules, adding modern modules (OpenSearch, dashboard, MITRE ATT&CK, vulnerability detection).
Current state
The original OSSEC project is still active on the ossec.net site, with periodic releases, but most of the ecosystem has shifted to Wazuh due to availability of modern features. OSSEC remains relevant in conservative environments, on legacy systems or where a minimal agent without external dependencies is required.
In the Italian context
OSSEC was adopted by local public administrations, universities, industrial companies as the first open source HIDS, especially in the 2008-2018 decade. Today many of these installations have migrated to Wazuh, but in several contexts OSSEC continues to be used for dedicated servers with stable risk profile and small-footprint requirements.
References: OSSEC 2.0 (27 October 2008). Founded by Daniel B. Cid in 2004. Third Brigade → Trend Micro acquisition (2009). GPLv2 licence. Modules: log analysis, syscheck (FIM), rootcheck, active response. Wazuh fork started in 2015. Website: https://www.ossec.net