OSSEC works on Windows, various flavors of unix and linux, as well as network devices such as switches, routers, and firewalls. It can run stand alone or report to a master server.
Agent installation on RHEL/CentOS
1. Install the Atomic Yum repo:
sudo "wget -q -O - http://www.atomicorp.com/installers/atomic | sh"
2. Install the EPEL repo (We're using 64bit Linux here)
If RHEL 5/CentOS 5,
sudo rpm -ivh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
If RHEL 6/CentOS 6,
sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
3. Install the RPMs from yum (should be about 4 RPMs or so):
sudo yum -y install ossec-hids-client
3a. (optional) Disable the Yum repos for Atomic and EPEL:
sed -i /etc/yum.repos.d/atomic.repo -e 's/enabled = 1/enabled = 0/g' sed -i /etc/yum.repos.d/epel.repo -e 's/enabled = 1/enabled = 0/g'
4. You'll need to set your server (if you even have a central OSSEC server) in the config file like so:
5. (optional) make an exception for the central server (again, if you even have one):
sudo iptables -A INPUT -p udp --dport 1514 -j ACCEPT
That's basically it. It's most definitely worth reading up on the documentation and you should definitely test OSSEC out before using the active rules.