Mysql Integration with Wazuh
495 views
Skip to first unread message
ismailctest C
Jan 3, 2024, 11:54:50 PM1/3/24
to Wazuh | Mailing List
Hi Team,
How to integrate mysql with wazuh.
We need to monitor MYSQL DB for transactions, command execution etc..
Threat scenarios: Command execution, monitoring drop, delete query,: or monitoring any other specific DB level activity and DB service level events.
1. How to integrate MySQL?
2. From what location/settings do we need to export logs? What should be enabled for log collection (what can be ignored)?
3. What alerts can be configured (use cases)
4. Monitor and trigger alerts when MySQL service-related events.
Kindly help with this.
Stuti Gupta
Jan 4, 2024, 12:10:27 AM1/4/24
to Wazuh | Mailing List
Hi team!
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards,
Thank you for using wazuh.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Regards,
Stuti Gupta
Jan 4, 2024, 12:49:55 AM1/4/24
to Wazuh | Mailing List
Wazuh has the ability to be configured to output the alerts into a database. In order to accomplish this, users must construct Wazuh using the desired database type. Currently, PostgreSQL and MySQL databases are supported. For that you can follow these steps:
1. To enable the database output, it is needed to install the development libraries for the database system that users want to configure: yum install mysql-devel
2. Installing dependencies:
yum update -y
yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 devtoolset-7 -y
curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-* && scl enable devtoolset-7 bash
3. CMake 3.18 installation.
curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
cd .. && rm -rf cmake-*
4. To install the required dependencies to build the python interpreter, follow these steps:
yum install epel-release yum-utils -y
yum-builddep python34 -y
5. Download and extract the latest version: curl -Ls https://github.com/wazuh/wazuh/archive/v4.7.1.tar.gz | tar zx
6. pre-compile the source code:
cd wazuh-4.7.1/src
make deps && make TARGET=server DATABASE=mysql
7.Run the install.sh script: /install.sh
8. The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with: systemctl start wazuh-manager
Once the Wazuh manager is installed from sources, you may install the Wazuh indexer, Filebeat, and the Wazuh dashboard following the Installation guide.
9. create a new database, set up the database user, and add the schema (located in the src/os_dbd directory of the source code)
mysql -u root -p
mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema
10. Add a <database_output> section on the configuration file, located at /var/ossec/etc/ossec.conf. Fill in the block with the right database name and credentials. The hostname must be the IP address of the database server.
<database_output>
<hostname>192.168.1.122</hostname>
<username>MySQLadmin</username>
<password>secret1234</password>
<database>Alerts_DB</database>
<type>mysql</type>
</database_output>
systemctl restart wazuh-manager
You can refer to https://documentation.wazuh.com/current/user-manual/manager/manual-database-output.html
To monitor MySQL files you can use the Syslog log format:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<mysql log file that need to be monitored></location>
</localfile>
systemctl restart wazuh-manager
In case your alert doesn't generate in the wazuh-dashboard, verify if you are getting related log in archives /var/ossec/logs/archives/archives.log | grep mysql .If you are getting log into that folder and not on the dashboard then you need to create a custom rules and decoders
Refere to https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this helps.
Regards,
1. To enable the database output, it is needed to install the development libraries for the database system that users want to configure: yum install mysql-devel
2. Installing dependencies:
yum update -y
yum install make gcc gcc-c++ policycoreutils-python automake autoconf libtool centos-release-scl openssl-devel wget bzip2 devtoolset-7 -y
curl -OL http://packages.wazuh.com/utils/gcc/gcc-9.4.0.tar.gz && tar xzf gcc-9.4.0.tar.gz && cd gcc-9.4.0/ && ./contrib/download_prerequisites && ./configure --enable-languages=c,c++ --prefix=/usr --disable-multilib --disable-libsanitizer && make -j$(nproc) && make install && ln -fs /usr/bin/g++ /bin/c++ && ln -fs /usr/bin/gcc /bin/cc && cd .. && rm -rf gcc-* && scl enable devtoolset-7 bash
3. CMake 3.18 installation.
curl -OL https://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz && tar -zxf cmake-3.18.3.tar.gz && cd cmake-3.18.3 && ./bootstrap --no-system-curl && make -j$(nproc) && make install
cd .. && rm -rf cmake-*
4. To install the required dependencies to build the python interpreter, follow these steps:
yum install epel-release yum-utils -y
yum-builddep python34 -y
5. Download and extract the latest version: curl -Ls https://github.com/wazuh/wazuh/archive/v4.7.1.tar.gz | tar zx
6. pre-compile the source code:
cd wazuh-4.7.1/src
make deps && make TARGET=server DATABASE=mysql
7.Run the install.sh script: /install.sh
8. The installer asks if you want to start Wazuh at the end of the installation. If you choose not to, you can start it later with: systemctl start wazuh-manager
Once the Wazuh manager is installed from sources, you may install the Wazuh indexer, Filebeat, and the Wazuh dashboard following the Installation guide.
9. create a new database, set up the database user, and add the schema (located in the src/os_dbd directory of the source code)
mysql -u root -p
mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema
10. Add a <database_output> section on the configuration file, located at /var/ossec/etc/ossec.conf. Fill in the block with the right database name and credentials. The hostname must be the IP address of the database server.
<database_output>
<hostname>192.168.1.122</hostname>
<username>MySQLadmin</username>
<password>secret1234</password>
<database>Alerts_DB</database>
<type>mysql</type>
</database_output>
systemctl restart wazuh-manager
You can refer to https://documentation.wazuh.com/current/user-manual/manager/manual-database-output.html
To monitor MySQL files you can use the Syslog log format:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<mysql log file that need to be monitored></location>
</localfile>
systemctl restart wazuh-manager
In case your alert doesn't generate in the wazuh-dashboard, verify if you are getting related log in archives /var/ossec/logs/archives/archives.log | grep mysql .If you are getting log into that folder and not on the dashboard then you need to create a custom rules and decoders
Refere to https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Hope this helps.
Regards,
Reply all
Reply to author
Forward
Message has been deleted
0 new messages