dumb OSSEC database question

1,979 views
Skip to first unread message

Fred Sasse

unread,
Jun 15, 2012, 5:34:03 PM6/15/12
to ossec-list
I am currently using the webui just fine in SLES11. I have ordered
the OSSEC-HIDS book and it is on its way.

I have a dumb database question.

I followed the directions to send output the mysql database here:

http://www.ossec.net/doc/manual/output/database-output.html

Everything seems to go OK with the mysql commands to do this. However,
I am not convinced that everything in the /var/ossec/logs is going to
the database. Is there a way to check this? My dumb question is
this:

If database output is enabled, should everything that is in /var/ossec/
logs also be in the mysql "ossec" database?

I understand the webui does not use the database output, and only uses
the logs in /var/ossec/logs. That is fine with me.

dan (ddp)

unread,
Jun 15, 2012, 7:48:10 PM6/15/12
to ossec...@googlegroups.com

Only alerts go to the db.

Steve Lodin

unread,
Jun 26, 2012, 1:29:49 PM6/26/12
to ossec...@googlegroups.com
Perhaps you missed a step.  This is a partial document I did earlier in the year when enabling DB support on CentOS...

Steve
--
Cell: +1-317-840-9088
LinkedIn: http://www.linkedin.com/in/stevelodin
Twitter: http://twitter.com/stevelodin

Updating OSSEC to include MySQL capability

Backup Local Configuration Files

We want to keep a copy of files we have modified such as /var/ossec/etc/ossec.conf and /var/ossec/rules/msauth_rules.xml.  It might be easier to keep a backup of the entire /var/ossec/rules and /var/ossec/etc directories.  This can be accomplished using the command:

# tar cvf ossec-backup.tar /var/ossec/rules /var/ossec/etc

Install MySQL

Install the application files.

# yum install mysql
# yum install mysql-server
# yum install mysql-devel

Enable MySQL to start on system boot and start it right now.

# /sbin/chkconfig mysqld on

# /sbin/service mysqld start

Secure the MySQL installation.  This should be required for every MySQL installation

# /usr/bin/mysql_secure_installation

<add mysqld_secure_installation output>

Compile with DB support

Use OSSEC version 2.6

# cd src/; make setdb

Error: PostgreSQL client libraries not installed.

Info: Compiled with MySQL support.

# make all

 

Stop OSSEC

$ sudo service ossec stop


Copy new OSSEC Binaries to /var/ossec/bin

Enable DB support

AFTER the update is completed, run:

# /var/ossec/bin/ossec-control enable database

 

Configuring MySQL

Create a database with the following schema: 

# mysql -u root -p
<enter root password>
 
mysql> create database ossec;
 
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
Query OK, 0 rows affected (0.00 sec)
 
mysql> set password for ossec@localhost=PASSWORD('passwd');
Query OK, 0 rows affected (0.00 sec)
 
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
 
mysql> quit
 
# mysql -u ossec -p ossec < src/os_dbd/mysql.schema
 
 

Configure OSSEC to log to MySQL

Add to /var/ossec/etc/ossec.conf

  <database_output>

    <hostname>localhost</hostname>

    <username>ossec</username>

    <password>passwd</password>

    <database>ossec</database>

    <type>mysql</type>

  </database_output>

 

Restart OSSEC

# sudo service ossec restart

Confirm database is active

# grep ossec-dbd /var/ossec/logs/ossec.log

Should show <date> <time> ossec-dbd: Connected to database ‘ossec’ at ‘localhost’.

Confirm alerts are in the database

# mysql -u ossec -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 58

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

 

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

 

mysql> connect ossec;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

 

Connection id:    59

Current database: ossec

 

mysql> show tables;

+----------------------------+

| Tables_in_ossec            |

+----------------------------+

| agent                      |

| alert                      |

| category                   |

| data                       |

| location                   |

| server                     |

| signature                  |

| signature_category_mapping |

+----------------------------+

8 rows in set (0.00 sec)

 

mysql> select * from alert;

+----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+

| id | server_id | rule_id | timestamp  | location_id | src_ip | dst_ip | src_port | dst_port | alertid         |

+----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+

|  1 |         1 |     502 | 1330541904 |           1 |      0 |      0 |    28623 |    14057 | 1330541903.4855 |

|  2 |         1 |    5901 | 1330545948 |           2 |      0 |      0 |    28623 |    14057 | 1330545944.5006 |

|  3 |         1 |    5902 | 1330545948 |           2 |      0 |      0 |    28623 |    14057 | 1330545944.5224 |

|  4 |         1 |    1002 | 1330545953 |           2 |      0 |      0 |    28623 |    14057 | 1330545950.5485 |

|  5 |         1 |    5904 | 1330545963 |           2 |      0 |      0 |    28623 |    14057 | 1330545958.5734 |

+----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+

5 rows in set (0.00 sec)

 

mysql>

 



On Tue, Jun 26, 2012 at 12:38 PM, Brett Y <cgk...@gmail.com> wrote:
I followed the same tutorials as well and it seems that nothing is going to the database. select * from alert; returns nothing. 
Reply all
Reply to author
Forward
0 new messages