Hello,

First, make sure that you have the awslogs agent installed and configured.

1- Downloading the OSSEC:

You can use ossec_version=”2.9.0″

wget https://github.com/ossec/ossec-hids/archive/${ossec_version}.tar.gz

Make sure of the checksum:

For 2.9.0: abd5741dc474cbce5cc116f46a5ef2528c847918

sha1sum ossec-hids-${ossec_version}.tar.gz

If they match then:

tar xfz ossec-hids-${ossec_version}.tar.gz

2- Installation

Creating the preloaded vars: (for install.sh later this will make the install.sh installs without prompting the user!!!!!)

touch preloaded-vars.conf and copy the following and paste it into that file!

 USER_LANGUAGE="en";
 USER_NO_STOP="y";
 USER_INSTALL_TYPE="local";
 USER_DIR="/var/ossec";
 USER_ENABLE_SYSCHECK="y";
 USER_ENABLE_ROOTCHECK="y";
 USER_UPDATE_RULES="y";
 USER_ENABLE_EMAIL="n";
 USER_ENABLE_FIREWALL_RESPONSE="n";
 USER_ENABLE_ACTIVE_RESPONSE="n";

 

cp preloaded-vars.conf ossec-hids-${ossec_version}/etc/
cd ossec-hids-${ossec_version}
./install.sh (as a root)

 

Now, before running, you can configure the OSSEC through this file:

/var/ossec/etc/ossec.conf

You can add <jsonout_output>yes</jsonout_output>

 <global>
 <jsonout_output>yes</jsonout_output>
 <email_notification>no</email_notification>
 </global>

You can add more file to monitor under <!– Files to monitor (localfiles) –> section

3- Starting

/var/ossec/bin/ossec-control start

4- CW agent

You could put these into awslogs.conf temporarily and restart the service of CW agent:

[/var/ossec/logs/alerts/alerts.json]
file = /var/ossec/logs/alerts/alerts.json
buffer_duration = 5000
log_stream_name = {instance_id}
initial_position = start_of_file
log_group_name = ossec-test