Perhaps you missed a step. This is a partial document I did earlier in the year when enabling DB support on CentOS...
Steve -- Cell: +1-317-840-9088 LinkedIn: http://www.linkedin.com/in/stevelodin Twitter: http://twitter.com/stevelodin Updating OSSEC to include MySQL capability Backup Local Configuration Files We want to keep a copy of files we have modified such as /var/ossec/etc/ossec.conf and /var/ossec/rules/msauth_rules.xml. It might be easier to keep a backup of the entire /var/ossec/rules and /var/ossec/etc directories. This can be accomplished using the command: *# tar cvf ossec-backup.tar /var/ossec/rules /var/ossec/etc * Install MySQL Install the application files. *# yum install mysql # yum install mysql-server # yum install mysql-devel * Enable MySQL to start on system boot and start it right now. *# /sbin/chkconfig mysqld on* *# /sbin/service mysqld start* Secure the MySQL installation. This should be required for every MySQL installation *# /usr/bin/mysql_secure_installation* *<add mysqld_secure_installation output>*** Compile with DB support Use OSSEC version 2.6 # *cd src/; make setdb* Error: PostgreSQL client libraries not installed. Info: Compiled with MySQL support. #* make all* Stop OSSEC $ *sudo service ossec stop* * * Copy new OSSEC Binaries to /var/ossec/bin* * Enable DB support AFTER the update is completed, run: # */var/ossec/bin/ossec-control enable database* * * Configuring MySQL Create a database with the following schema: # *mysql -u root -p* <enter root password> mysql> *create database ossec;* mysql> *grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;* Query OK, 0 rows affected (0.00 sec) mysql> *set password for ossec@localhost=PASSWORD('passwd');* Query OK, 0 rows affected (0.00 sec) mysql> *flush privileges;* Query OK, 0 rows affected (0.00 sec) mysql> *quit* # *mysql -u ossec -p ossec < src/os_dbd/mysql.schema* Configure OSSEC to log to MySQL Add to /var/ossec/etc/ossec.conf <database_output> <hostname>localhost</hostname> <username>ossec</username> <password>passwd</password> <database>ossec</database> <type>mysql</type> </database_output> Restart OSSEC *# sudo service ossec restart* Confirm database is active # *grep ossec-dbd /var/ossec/logs/ossec.log* Should show <date> <time> ossec-dbd: Connected to database ‘ossec’ at ‘localhost’. Confirm alerts are in the database # *mysql -u ossec -p* Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 58 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> *connect ossec;* Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Connection id: 59 Current database: ossec mysql> *show tables;* +----------------------------+ | Tables_in_ossec | +----------------------------+ | agent | | alert | | category | | data | | location | | server | | signature | | signature_category_mapping | +----------------------------+ 8 rows in set (0.00 sec) mysql> *select * from alert;* +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ | id | server_id | rule_id | timestamp | location_id | src_ip | dst_ip | src_port | dst_port | alertid | +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ | 1 | 1 | 502 | 1330541904 | 1 | 0 | 0 | 28623 | 14057 | 1330541903.4855 | | 2 | 1 | 5901 | 1330545948 | 2 | 0 | 0 | 28623 | 14057 | 1330545944.5006 | | 3 | 1 | 5902 | 1330545948 | 2 | 0 | 0 | 28623 | 14057 | 1330545944.5224 | | 4 | 1 | 1002 | 1330545953 | 2 | 0 | 0 | 28623 | 14057 | 1330545950.5485 | | 5 | 1 | 5904 | 1330545963 | 2 | 0 | 0 | 28623 | 14057 | 1330545958.5734 | +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ 5 rows in set (0.00 sec) mysql> On Tue, Jun 26, 2012 at 12:38 PM, Brett Y <[email protected]> wrote: > I followed the same tutorials as well and it seems that nothing is going > to the database. select * from alert; returns nothing. > > On Friday, June 15, 2012 2:34:03 PM UTC-7, Fred Sasse wrote: >> >> I am currently using the webui just fine in SLES11. I have ordered >> the OSSEC-HIDS book and it is on its way. >> >> I have a dumb database question. >> >> I followed the directions to send output the mysql database here: >> >> http://www.ossec.net/doc/**manual/output/database-output.**html<http://www.ossec.net/doc/manual/output/database-output.html> >> >> Everything seems to go OK with the mysql commands to do this. However, >> I am not convinced that everything in the /var/ossec/logs is going to >> the database. Is there a way to check this? My dumb question is >> this: >> >> If database output is enabled, should everything that is in /var/ossec/ >> logs also be in the mysql "ossec" database? >> >> I understand the webui does not use the database output, and only uses >> the logs in /var/ossec/logs. That is fine with me. > >
