IT Get in touch

OSSEC: Open Source HIDS, Wazuh's ancestor

OSSEC, Host-based Intrusion Detection System founded by Daniel Cid in 2004: log analysis, file integrity monitoring, rootcheck, active response, XML rules/decoders. Version 2.0 released 27 October 2008, GPLv2 licence.

CybersecurityOpen Source
CybersecurityOpen Source OSSECHIDSLog AnalysisFIMCybersecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Origins

OSSEC — Open Source Security — was started in 2004 by Daniel B. Cid, Brazilian developer, as a personal Host-based Intrusion Detection System project. The project grew quickly in the Open Source community as a lightweight solution for monitoring Unix and Windows servers.

On 27 October 2008 OSSEC 2.0 was released, a version that consolidates the agent/manager architecture and introduces rule engine improvements. Commercial development is managed by Third Brigade. GPLv2 licence, public code.

Components

OSSEC is an agent-based HIDS with centralised architecture:

  • OSSEC manager — central server that receives events from agents, analyses them and generates alerts
  • OSSEC agent — component installed on Linux, Windows, BSD, Solaris, AIX, HP-UX, macOS endpoints
  • Agentless monitoring — for network appliances and systems where agents cannot be installed

Main features

  • Log analysis (analogd) — parsing and correlation of logs from syslog, Apache, IIS, Windows Event Log, sshd, sudo
  • File Integrity Monitoring (syscheck) — MD5/SHA hashes of critical files and change detection
  • Rootcheck — detection of rootkits, hidden files, anomalous processes, hardening policies
  • Active response — script execution in response to alerts (IP block, user disable)
  • XML rules and decoders — rules expressed in structured XML, with decoders for normalising heterogeneous logs

Historical adoption

For years OSSEC was the reference HIDS in the Open Source world:

  • Public administration — perimeter server monitoring
  • ISPs and hosting providers — server compromise detection
  • PCI-DSS compliance — requirements 10 (logs) and 11.5 (FIM) covered natively
  • Splunk, ELK integrations — alert forwarding in syslog or JSON

Legacy

OSSEC introduces a lightweight, modular, extensible HIDS model that is influencing the development of similar tools. Combining log analysis, FIM, rootcheck and active response in a single agent has become a reference for the sector.

In the Italian context

OSSEC is adopted by local public administrations, universities, industrial companies as the first Open Source HIDS, with installations covering perimeter servers and critical systems with contained footprint.

References: OSSEC 2.0 (27 October 2008). Founded by Daniel B. Cid in 2004. Third Brigade commercial sponsor. GPLv2 licence. Modules: log analysis, syscheck (FIM), rootcheck, active response. Website: https://www.ossec.net

Need support? Under attack? Service Status
Need support? Under attack? Service Status