I have installed OSSEC with the Puppet module provided by Wazuh. With this
module I have set up a server with a couple of agents setup and I have
enabled MySQL support.
The problem is that the alert table is missing a lot of records after
running OSSEC for a few weeks. The tables category, data, location, server
signature and signature_category_mapping are getting information. So I
assume the connection with MySQL is working correct.
In the records that did show up in the database, the fields level, user and
full_log are empty. I expected that all the information that is in
/var/ossec/logs/alerts/alerts.log should also show up in the MySQL table.
On the server, the file /var/ossec/logs/alerts/alerts.log is showing alerts
of all the agents. There are multiple alerts every minute.
/var/ossec/logs/ossec.log is only showing messages about files the system
cannot find.
Any tips on what is going wrong?
OSSEC version: OSSEC HIDS v2.8.3
MySQL version: 5.7.17
Ubuntu: Ubuntu 16.04 server
The ossec.conf on the server looks like this:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>1</email_maxperhour>
<stats>8</stats>
<host_information>8</host_information>
</global>
<!-- Included rules (static) -->
<rules>
<include>rules_config.xml</include>
...
</rules>
<!-- Most of these rules are defined in the shared agent config -->
<syscheck>
<!-- Frequency that syscheck is executed -->
<frequency>79200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>yes</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes" report_changes="no"
realtime="no">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" report_changes="yes"
realtime="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore (parameterized) -->
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>11</email_alert_level>
</alerts>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
...
<database_output>
<hostname>127.0.0.1</hostname>
<username>ossec</username>
<password>correct_password</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
</ossec_config>
Table structure:
CREATE TABLE `alert` (
`id` int(10) UNSIGNED NOT NULL,
`server_id` smallint(5) UNSIGNED NOT NULL,
`rule_id` mediumint(8) UNSIGNED NOT NULL,
`level` tinyint(3) UNSIGNED DEFAULT NULL,
`timestamp` int(10) UNSIGNED NOT NULL,
`location_id` smallint(5) UNSIGNED NOT NULL,
`src_ip` varchar(46) DEFAULT NULL,
`dst_ip` varchar(46) DEFAULT NULL,
`src_port` smallint(5) UNSIGNED DEFAULT NULL,
`dst_port` smallint(5) UNSIGNED DEFAULT NULL,
`alertid` varchar(30) DEFAULT NULL,
`user` text,
`full_log` text,
`is_hidden` tinyint(4) NOT NULL DEFAULT '0',
`tld` varchar(5) NOT NULL DEFAULT ''
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
ALTER TABLE `alert`
ADD PRIMARY KEY (`id`,`server_id`),
ADD KEY `alertid` (`alertid`),
ADD KEY `level` (`level`),
ADD KEY `time` (`timestamp`),
ADD KEY `rule_id` (`rule_id`),
ADD KEY `src_ip` (`src_ip`),
ADD KEY `tld` (`tld`);
ALTER TABLE `alert`
MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT;
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
