OSSEC not using database, where does it store information?

[Kyle Hopfensperger]

Hello,

I just created an OSSEC server (14.04) and have it running on a few test machines, both Linux and Windows. I'm wondering where it is storing the information? I have it setup to use mysql but the tables seem to be empty, yet the ossec-wui shows data when I search.

Thanks for the help

[dan (ddp)]

On Fri, Oct 24, 2014 at 5:27 PM, Kyle Hopfensperger
<hosinfe...@msn.com> wrote:
> Hello,
>
> I just created an OSSEC server (14.04) and have it running on a few test
> machines, both Linux and Windows. I'm wondering where it is storing the
> information? I have it setup to use mysql but the tables seem to be empty,

There's an alerts (data?) table, I think. Is that one empty?

> yet the ossec-wui shows data when I search.
>

In the past the WUI has used the text logfiles in /var/ossec/logs to
populate the pages. I don't think this has changed.

>
> Thanks for the help
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Andrew Martin]

I am also interested in this topic. If I am understanding it correctly, each time OSSEC scans a client, it essentially creates a list of metadata for each matching file (including filesize, modification time, md5sum, sha1sum, filename, etc). From what I can see, this data is stored in /var/ossec/queue/syscheck/<hostname> and the format is documented here:
http://marc.info/?l=ossec-list&m=135842957311803&w=2

What happens with each subsequent scan? I would guess that OSSEC keeps at least the previous scan around and then diffs it with the most recent scan to see which files have been modified. If so, where is each subsequent scan stored on the OSSEC manager server? For example, is it something like this:

• /var/ossec/queue/syscheck/<hostname> (most recent scan)
  
• /var/ossec/queue/syscheck/<hostname>.1 (scan from 6 hours ago)
  
• /var/ossec/queue/syscheck/<hostname>.2 (scan from 12 hours ago)

Thanks!

[dan (ddp)]

On Tue, Oct 28, 2014 at 9:42 AM, Andrew Martin
<andrew....@gmail.com> wrote:
> I am also interested in this topic. If I am understanding it correctly, each
> time OSSEC scans a client, it essentially creates a list of metadata for
> each matching file (including filesize, modification time, md5sum, sha1sum,
> filename, etc). From what I can see, this data is stored in
> /var/ossec/queue/syscheck/<hostname> and the format is documented here:
> http://marc.info/?l=ossec-list&m=135842957311803&w=2
>
> What happens with each subsequent scan? I would guess that OSSEC keeps at
> least the previous scan around and then diffs it with the most recent scan
> to see which files have been modified. If so, where is each subsequent scan
> stored on the OSSEC manager server? For example, is it something like this:
>

Nope. New or updated entries are added to the file. Old entries are
commented out.

[Andrew Martin]

Okay, thanks for the clarification. Is there a point at which old entries are then purged from the file (or do they remain in there forever)?

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/UxHoFxw7tqM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Tue, Oct 28, 2014 at 1:50 PM, Andrew Martin
<andrew....@gmail.com> wrote:
> Okay, thanks for the clarification. Is there a point at which old entries
> are then purged from the file (or do they remain in there forever)?
>

I believe they remain there forever, but I haven't looked at the code.