ossec主要功能有日志分析、完整性检查、rookit检测、基于时间的警报和主动响应。
///服务端安装
1、yum install wget gcc make httpd php php-mysql sendmail install MariaDB-server MariaDB MariaDB-devel -y
2、启动
systemctl start httpd
systemctl start sendmail.service
systemctl start mariadb
systemctl enable mariadb
mysql_secure_installation
firewall-cmd --permanent --add-service mysql
systemctl restart firewalld.service
3、创建数据库ossec
create database ossec;
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
set password for ossec@localhost=PASSWORD('ossec');
flush privileges;
4、ossec服务器端安装：
wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
tar zxf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3/
cd src; make setdb; cd ..
./install.sh
/var/ossec/bin/ossec-control enable database
mysql -uossec -possec ossec < ./src/os_dbd/mysql.schema
chmod u+w /var/ossec/etc/ossec.conf
5、修改配置文件 vi /var/ossec/etc/ossec.conf
在<ossec_config>标签内添加
<database_output>
<hostname>127.0.0.1</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
<remote>
<connection>syslog</connection>

</remote>
6、生成客户端证书：/var/ossec/bin/manage_agents
填入客户端主机名、IP，记录生成的KEY
7、安装web界面：
wget https://github.com/ECSC/analogi/archive/master.zip
unzip master.zip
mv analogi-master/ /var/www/html/analogi
cd /var/www/html/
chown -R apache.apache analogi/
cd analogi/
cp db_ossec.php.new db_ossec.php
//修改PHP的db链接参数
vi db_ossec.php
//添加APAche的虚拟主机
vim /etc/httpd/conf.d/analogi.conf
Alias /analogi /var/www/html/analogi
<Directory /var/www/html/analogi>
Order deny,allow
Deny from all
Allow from 192.168.0.0/16
</Directory>
//重启apache，登录方式http://ip/analogi/
systemctl restart httpd
service ossec start

//客户端搭建
wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
tar zxf ossec-hids-2.8.3.tar.gz
cd ossec-hids-2.8.3/
./install.sh
/var/ossec/bin/manage_agents
//需要填入服务端生成的KEY
//启动ossec客户端 /var/ossec/bin/ossec-control start

用ossec检测日志行为：https://www.freebuf.com/articles/system/21383.html
主要功能、原理:https://blog.csdn.net/alextan_/article/details/52080171
https://blog.csdn.net/alextan_/article/details/52040005
window客户端：https://bintray.com/artifact/download/ossec/ossec-hids/ossec-agent-win32-2.8.3.exe
中文使用手册：https://wenku.baidu.com/view/a40af5320b4c2e3f5727631c.html

查看状态:/var/ossec/bin/ossec-control status
/var/ossec/bin/list_agents -a
/var/ossec/bin/agent_control -lc