-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
we're working on a PHP/MySQL based reporting web interface for OSSEC. Unlike the traditional WUI (which parses logs to present via web interface) we wanted a web based query and reporting engine. Unfortunately the WUI wasn't able to do things like show all the logs for X host during Y time or show all the alerts for X host on Y rule. We ran into several problems with the MySQL integration until version 1.5. You have to follow the instructions at http://www.ossec.net/wiki/index.php/Know_How:DatabaseOutput. Additionally we found that there was no way to correlate the alerts with the logs that triggered them via the database. In order to do this we altered the MySQL database by using: ALTER TABLE data ADD COLUMN tstamp timestamp DEFAULT now(); you can then use the data.tsamp column to map data to alerts like so: SELECT d.*, a.* FROM data d, alert a WHERE a.time = unix_timestamp(d.tstamp) Since the data is dropped into the database at the same time the timestamps on the data entries will match timestamps on the alert entries. Our project is a traditional MVC PHP/MySQL application but still in the early stages (the object model is complete but we don't have a display layer worked out yet). We fully intend to share the completed project under GPL and hopefully build in some hook for historic NMAP scans of hosts and potentially down the road integrate with Snort alerts. If anyone would like to help please let me know. I'm also happy to share the code we have now if anyone is interested. Hope this helps. Justin C. Klein Keane Sr. Information Security Specialist Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St. Room 527 Philadelphia, PA 19104 215.898.0236(p) 215.573.3166(f) Adriel Desautels wrote: > Greetings, > I am interested in possibly creating a new OSSEC web interface. What > sort of back-end database does OSSEC use today? I thought it was mysql, > but I think I'm wrong. > > Regards, > Adriel T. Desautels > Chief Technology Officer > Netragard, LLC. > Office : 617-934-0269 > Mobile : 617-633-3821 > http://www.linkedin.com/pub/1/118/a45 > > Join the Netragard, LLC. Linked In Group: > http://www.linkedin.com/e/gis/48683/0B98E1705142 > > --------------------------------------------------------------- > Netragard, LLC - http://www.netragard.com - "We make IT Safe" > Penetration Testing, Vulnerability Assessments, Website Security > > Netragard Whitepaper Downloads: > ------------------------------- > Choosing the right provider : http://tinyurl.com/2ahk3j > Three Things you must know : http://tinyurl.com/26pjsn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIY4urR4a3EW2yjlQRAqjgAJ9EcDI6HeLPP55NN1kggUNplNzA5wCffMl6 qTEgcFezY54aUMKatFP2qM4= =LtSs -----END PGP SIGNATURE-----
