I was able to figure it out. I think i used the wrong schema file, i dropped the database and recreated it. all seems to work now
On Tuesday, June 26, 2012 1:42:52 PM UTC-7, Brett Y wrote: > > Very nice write-up! However, I'm getting: > > ERROR: Error connecting to database 'localhost'(ossec): ERROR: Unknown > MySQL server host 'localhost' (0). > > if i enter 127.0.0.1 in ossec.conf for the hostname the same error > happens, just with 127.0.0.1 instead of saying localhost > On Tuesday, June 26, 2012 10:29:49 AM UTC-7, Steve wrote: >> >> Perhaps you missed a step. This is a partial document I did earlier in >> the year when enabling DB support on CentOS... >> >> Steve >> -- >> Cell: +1-317-840-9088 >> LinkedIn: http://www.linkedin.com/in/stevelodin >> Twitter: http://twitter.com/stevelodin >> >> Updating OSSEC to include MySQL capability Backup Local Configuration >> Files >> >> We want to keep a copy of files we have modified such as >> /var/ossec/etc/ossec.conf and /var/ossec/rules/msauth_rules.xml. It >> might be easier to keep a backup of the entire /var/ossec/rules and >> /var/ossec/etc directories. This can be accomplished using the command: >> >> *# tar cvf ossec-backup.tar /var/ossec/rules /var/ossec/etc >> >> * >> Install MySQL >> >> Install the application files. >> >> *# yum install mysql >> # yum install mysql-server >> # yum install mysql-devel * >> >> Enable MySQL to start on system boot and start it right now. >> >> *# /sbin/chkconfig mysqld on* >> >> *# /sbin/service mysqld start* >> >> Secure the MySQL installation. This should be required for every MySQL >> installation >> >> *# /usr/bin/mysql_secure_installation* >> >> *<add mysqld_secure_installation output>*** >> Compile with DB support >> >> Use OSSEC version 2.6 >> >> # *cd src/; make setdb* >> >> Error: PostgreSQL client libraries not installed. >> >> Info: Compiled with MySQL support. >> >> #* make all* >> >> >> >> Stop OSSEC >> >> $ *sudo service ossec stop* >> >> * >> * >> >> Copy new OSSEC Binaries to /var/ossec/bin* >> * >> Enable DB support >> >> AFTER the update is completed, run: >> >> # */var/ossec/bin/ossec-control enable database* >> >> * * >> Configuring MySQL >> >> Create a database with the following schema: >> >> # *mysql -u root -p* >> >> <enter root password> >> >> >> >> mysql> *create database ossec;* >> >> >> >> mysql> *grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to >> ossec@localhost;* >> >> Query OK, 0 rows affected (0.00 sec) >> >> >> >> mysql> *set password for ossec@localhost=PASSWORD('passwd');* >> >> Query OK, 0 rows affected (0.00 sec) >> >> >> >> mysql> *flush privileges;* >> >> Query OK, 0 rows affected (0.00 sec) >> >> >> >> mysql> *quit* >> >> >> >> # *mysql -u ossec -p ossec < src/os_dbd/mysql.schema* >> >> >> >> Configure OSSEC to log to MySQL >> >> Add to /var/ossec/etc/ossec.conf >> >> <database_output> >> >> <hostname>localhost</hostname> >> >> <username>ossec</username> >> >> <password>passwd</password> >> >> <database>ossec</database> >> >> <type>mysql</type> >> >> </database_output> >> >> >> >> Restart OSSEC >> >> *# sudo service ossec restart* >> Confirm database is active >> >> # *grep ossec-dbd /var/ossec/logs/ossec.log* >> >> Should show <date> <time> ossec-dbd: Connected to database ‘ossec’ at >> ‘localhost’. >> Confirm alerts are in the database >> >> # *mysql -u ossec -p* >> >> Enter password: >> >> Welcome to the MySQL monitor. Commands end with ; or \g. >> >> Your MySQL connection id is 58 >> >> Server version: 5.1.41-3ubuntu12.10 (Ubuntu) >> >> >> >> Type 'help;' or '\h' for help. Type '\c' to clear the current input >> statement. >> >> >> >> mysql> *connect ossec;* >> >> Reading table information for completion of table and column names >> >> You can turn off this feature to get a quicker startup with -A >> >> >> >> Connection id: 59 >> >> Current database: ossec >> >> >> >> mysql> *show tables;* >> >> +----------------------------+ >> >> | Tables_in_ossec | >> >> +----------------------------+ >> >> | agent | >> >> | alert | >> >> | category | >> >> | data | >> >> | location | >> >> | server | >> >> | signature | >> >> | signature_category_mapping | >> >> +----------------------------+ >> >> 8 rows in set (0.00 sec) >> >> >> >> mysql> *select * from alert;* >> >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ >> >> | id | server_id | rule_id | timestamp | location_id | src_ip | dst_ip >> | src_port | dst_port | alertid | >> >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ >> >> | 1 | 1 | 502 | 1330541904 | 1 | 0 | 0 | >> 28623 | 14057 | 1330541903.4855 | >> >> | 2 | 1 | 5901 | 1330545948 | 2 | 0 | 0 | >> 28623 | 14057 | 1330545944.5006 | >> >> | 3 | 1 | 5902 | 1330545948 | 2 | 0 | 0 | >> 28623 | 14057 | 1330545944.5224 | >> >> | 4 | 1 | 1002 | 1330545953 | 2 | 0 | 0 | >> 28623 | 14057 | 1330545950.5485 | >> >> | 5 | 1 | 5904 | 1330545963 | 2 | 0 | 0 | >> 28623 | 14057 | 1330545958.5734 | >> >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-----------------+ >> >> 5 rows in set (0.00 sec) >> >> >> >> mysql> >> >> >> >> >> On Tue, Jun 26, 2012 at 12:38 PM, Brett Y <[email protected]> wrote: >> >>> I followed the same tutorials as well and it seems that nothing is going >>> to the database. select * from alert; returns nothing. >>> >>> On Friday, June 15, 2012 2:34:03 PM UTC-7, Fred Sasse wrote: >>>> >>>> I am currently using the webui just fine in SLES11. I have ordered >>>> the OSSEC-HIDS book and it is on its way. >>>> >>>> I have a dumb database question. >>>> >>>> I followed the directions to send output the mysql database here: >>>> >>>> http://www.ossec.net/doc/**manual/output/database-output.**html<http://www.ossec.net/doc/manual/output/database-output.html> >>>> >>>> >>>> Everything seems to go OK with the mysql commands to do this. However, >>>> I am not convinced that everything in the /var/ossec/logs is going to >>>> the database. Is there a way to check this? My dumb question is >>>> this: >>>> >>>> If database output is enabled, should everything that is in /var/ossec/ >>>> logs also be in the mysql "ossec" database? >>>> >>>> I understand the webui does not use the database output, and only uses >>>> the logs in /var/ossec/logs. That is fine with me. >>> >>> >>
