Very nice write-up! However, I'm getting: ERROR: Error connecting to database 'localhost'(ossec): ERROR: Unknown MySQL server host 'localhost' (0).
if i enter 127.0.0.1 in ossec.conf for the hostname the same error happens, just with 127.0.0.1 instead of saying localhost On Tuesday, June 26, 2012 10:29:49 AM UTC-7, Steve wrote: > > Perhaps you missed a step. This is a partial document I did earlier in > the year when enabling DB support on CentOS... > > Steve > -- > Cell: +1-317-840-9088 > LinkedIn: http://www.linkedin.com/in/stevelodin > Twitter: http://twitter.com/stevelodin > > Updating OSSEC to include MySQL capability Backup Local Configuration > Files > > We want to keep a copy of files we have modified such as > /var/ossec/etc/ossec.conf and /var/ossec/rules/msauth_rules.xml. It > might be easier to keep a backup of the entire /var/ossec/rules and > /var/ossec/etc directories. This can be accomplished using the command: > > *# tar cvf ossec-backup.tar /var/ossec/rules /var/ossec/etc > > * > Install MySQL > > Install the application files. > > *# yum install mysql > # yum install mysql-server > # yum install mysql-devel * > > Enable MySQL to start on system boot and start it right now. > > *# /sbin/chkconfig mysqld on* > > *# /sbin/service mysqld start* > > Secure the MySQL installation. This should be required for every MySQL > installation > > *# /usr/bin/mysql_secure_installation* > > *<add mysqld_secure_installation output>*** > Compile with DB support > > Use OSSEC version 2.6 > > # *cd src/; make setdb* > > Error: PostgreSQL client libraries not installed. > > Info: Compiled with MySQL support. > > #* make all* > > > > Stop OSSEC > > $ *sudo service ossec stop* > > * > * > > Copy new OSSEC Binaries to /var/ossec/bin* > * > Enable DB support > > AFTER the update is completed, run: > > # */var/ossec/bin/ossec-control enable database* > > * * > Configuring MySQL > > Create a database with the following schema: > > # *mysql -u root -p* > > <enter root password> > > > > mysql> *create database ossec;* > > > > mysql> *grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to > ossec@localhost;* > > Query OK, 0 rows affected (0.00 sec) > > > > mysql> *set password for ossec@localhost=PASSWORD('passwd');* > > Query OK, 0 rows affected (0.00 sec) > > > > mysql> *flush privileges;* > > Query OK, 0 rows affected (0.00 sec) > > > > mysql> *quit* > > > > # *mysql -u ossec -p ossec < src/os_dbd/mysql.schema* > > > > Configure OSSEC to log to MySQL > > Add to /var/ossec/etc/ossec.conf > > <database_output> > > <hostname>localhost</hostname> > > <username>ossec</username> > > <password>passwd</password> > > <database>ossec</database> > > <type>mysql</type> > > </database_output> > > > > Restart OSSEC > > *# sudo service ossec restart* > Confirm database is active > > # *grep ossec-dbd /var/ossec/logs/ossec.log* > > Should show <date> <time> ossec-dbd: Connected to database ‘ossec’ at > ‘localhost’. > Confirm alerts are in the database > > # *mysql -u ossec -p* > > Enter password: > > Welcome to the MySQL monitor. Commands end with ; or \g. > > Your MySQL connection id is 58 > > Server version: 5.1.41-3ubuntu12.10 (Ubuntu) > > > > Type 'help;' or '\h' for help. Type '\c' to clear the current input > statement. > > > > mysql> *connect ossec;* > > Reading table information for completion of table and column names > > You can turn off this feature to get a quicker startup with -A > > > > Connection id: 59 > > Current database: ossec > > > > mysql> *show tables;* > > +----------------------------+ > > | Tables_in_ossec | > > +----------------------------+ > > | agent | > > | alert | > > | category | > > | data | > > | location | > > | server | > > | signature | > > | signature_category_mapping | > > +----------------------------+ > > 8 rows in set (0.00 sec) > > > > mysql> *select * from alert;* > > > +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ > > | id | server_id | rule_id | timestamp | location_id | src_ip | dst_ip | > src_port | dst_port | alertid | > > > +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ > > | 1 | 1 | 502 | 1330541904 | 1 | 0 | 0 | > 28623 | 14057 | 1330541903.4855 | > > | 2 | 1 | 5901 | 1330545948 | 2 | 0 | 0 | > 28623 | 14057 | 1330545944.5006 | > > | 3 | 1 | 5902 | 1330545948 | 2 | 0 | 0 | > 28623 | 14057 | 1330545944.5224 | > > | 4 | 1 | 1002 | 1330545953 | 2 | 0 | 0 | > 28623 | 14057 | 1330545950.5485 | > > | 5 | 1 | 5904 | 1330545963 | 2 | 0 | 0 | > 28623 | 14057 | 1330545958.5734 | > > > +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ > > 5 rows in set (0.00 sec) > > > > mysql> > > > > > On Tue, Jun 26, 2012 at 12:38 PM, Brett Y <[email protected]> wrote: > >> I followed the same tutorials as well and it seems that nothing is going >> to the database. select * from alert; returns nothing. >> >> On Friday, June 15, 2012 2:34:03 PM UTC-7, Fred Sasse wrote: >>> >>> I am currently using the webui just fine in SLES11. I have ordered >>> the OSSEC-HIDS book and it is on its way. >>> >>> I have a dumb database question. >>> >>> I followed the directions to send output the mysql database here: >>> >>> http://www.ossec.net/doc/**manual/output/database-output.**html<http://www.ossec.net/doc/manual/output/database-output.html> >>> >>> >>> Everything seems to go OK with the mysql commands to do this. However, >>> I am not convinced that everything in the /var/ossec/logs is going to >>> the database. Is there a way to check this? My dumb question is >>> this: >>> >>> If database output is enabled, should everything that is in /var/ossec/ >>> logs also be in the mysql "ossec" database? >>> >>> I understand the webui does not use the database output, and only uses >>> the logs in /var/ossec/logs. That is fine with me. >> >> >
