// the find
ossec/ossec-hids
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
OSSEC is a host-based intrusion detection system written in C that does log analysis, file integrity monitoring, rootkit detection, and active response (auto-blocking via firewall rules). It's been around since the mid-2000s and is aimed at sysadmins who need compliance-friendly HIDS on Linux/BSD/Windows without paying for a commercial solution.
The rule engine is genuinely deep — thousands of pre-built decoders and rules covering Apache, nginx, SSH, sudo, PAM, Cisco IOS, and dozens more, each with real log samples in the test suite. Active response scripts are practical and varied: nftables, pf, ipfw, Cloudflare WAF, AWS WAF, PagerDuty, Slack. The agent/server architecture scales to thousands of monitored hosts without re-architecting. CodeQL CI is wired up, which matters for a C codebase parsing untrusted log data.
The project is essentially in maintenance mode — Wazuh forked it years ago and that's where active development, modern features (like API-driven management and ML-based anomaly detection), and a real web UI live; most teams choosing OSSEC today are choosing the wrong fork. Configuration is XML-heavy and installation is still a shell script that writes files to /var/ossec; there's no container-native deployment story and the Kubernetes world has mostly moved on. The web UI situation is grim — the official OSSEC web UI is a separate, barely-maintained PHP project. Windows agent support exists but is clearly second-class. If you need OSSEC, you almost certainly want Wazuh instead.