Web Interface for OSSEC
Oct 13, 2022 
OSSEC is a powerful Host Intrusion Detection System (HIDS) platform with an exceptional log analysis engine. It was founded by Daniel, one of our Founders. To date, one of the platforms biggest drawbacks has always been the lack of a web interface. OSSEC users have always been forced to make use of the terminal, or one of the few enterprise GUI interfaces that have been released over the years.
The OSSEC Web Interface
OSSEC is a powerful Host Intrusion Detection System (HIDS) platform with an exceptional log analysis engine. It was founded by Daniel, one of our Founders. To date, one of the platforms biggest drawbacks has always been the lack of a web interface. OSSEC users have always been forced to make use of the terminal, or one of the few enterprise GUI interfaces that have been released over the years.
Configure OSSEC with Trunc
Configuring OSSEC to communicate with Trunc is simple. You will make use of the client-syslog daemon. This daemon was designed to use the servers syslog capability and will forward all your alerts a central log platform.
There are four, possibly five steps, depending on your environment to getting configured your OSSEC deployment configured with Trunc:
- Enable OSSEC Syslog Daemon
- Update OSSEC Config
- Restart OSSEC
- Configure Trunc
- (Maybe): Update Server Firewall Rules
From your terminal enable the client-syslog daemon by running this command:
This command will start the ossec-csyslogd daemon.
Then, open the OSSEC config file (often at /var/ossec/etc/ossec.conf) and add the following:
You can add the following right after the initial <Global> entry:
<syslog_output>
<server>SYSLOGSERVER</server>
<port>SYSLOGPORT</port>
</syslog_output>
Replace SYSLOGSERVER and SYSLOGPORT for the syslog server and port assigned to your account (you can see it here).
After modifying the configuration file, restart OSSEC:
You're looking for an output that shows the daemon has started successfully. Something like this:
# /var/ossec/bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running... ossec-csyslogd is running... ossec-integratord is running...
Before Trunc knows what logs to collect, you must tell it where it is coming from. You do this via the Trunc dashboard, via Settings.
Add the IP in the input box where it says Add Server IP and be sure to click Allow Server.
The last, possible, update will be to verify that you are allowing your server to communicate with the Trunc servers. Here is an example of what you might need to do in IPTables.
$ sudo iptables -I INPUT -p udp -s 207.148.18.158 -j ACCEPT
Logging Guides
We love logs. In this section we will share some articles from our team to help you get better at logging.
Trunc Logging
Logging for fun and a good night of sleep.
- Real time search
- Google simple
- Cheap
- Just works
- PCI compliance
Latest Articles
Latest articles from our learning center.
- 2025-06-03Investigating the 'slince_golden' WordPress Backdoor
- 2025-05-30Vulnerability Scanner Logs: WPScan
- 2025-05-29Web Scanning, Development Hygiene, and File Exposure Risks
- 2025-05-29Troubleshooting Remote Syslog with TCPDUMP
- 2025-05-29Logging basics: Syslog protocol in detail
- 2025-05-29Syslog Daemons difference (syslogd, rsyslog and syslog-ng)
Contact us!
Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org
Tired of price gouging
- Clear pricing
- No need to guess
- Real people
- Real logging
Get
Started