From OSSEC Wiki
Contents |
[edit]
How to Setup Database Output
OSSEC supports MySQL and PostgreSQL database outputs.
[edit]
Enabling Database support
- Before you run the "./install.sh" script, execute the following:
$ cd ossec-hids-1.4 $ cd src; make setdb; cd .. $ ./install.sh
- AFTER the install is completed, run:
$ /var/ossec/bin/ossec-control enable database
[edit]
Configuring MySQL
Create a database with the following schema: http://www.ossec.net/files/other/mysql.schema
[edit]
Configure OSSEC to forward the alerts to MySQL
- In this example, we are forwarding to 192.168.2.30, using ossec_u as the user.
<ossec_config>
<database_output>
<hostname>192.168.2.30</hostname>
<username>ossec_u</username>
<password>123xyz</password>
<database>ossec_db</database>
<type>mysql</type>
</database_output>
</ossec_config>
[edit]
Configuring PostgreSQL
[edit]
Create a user for OSSEC
$ sudo -u postgres createuser -D -A -P ossec_user Enter password for new role: Enter it again: Shall the new role be allowed to create more new roles? (y/n) n CREATE ROLE
[edit]
Create a database for OSSEC
$ sudo -u postgres createdb -O ossec_user ossecdb CREATE DATABASE
[edit]
Create the necessary tables from the PostgreSQL schema
http://www.ossec.net/files/other/postgresql.schema
$ wget http://www.ossec.net/files/other/postgresql.schema $ psql -h 127.0.0.1 -U ossec_user -d ossecdb -f postgresql.schema
[edit]
Configure OSSEC to forward the alerts to PostgreSQL
- In this example, we are forwarding to 192.168.2.99, using ossec_user as the user.
<ossec_config>
<database_output>
<hostname>192.168.2.99</hostname>
<username>ossec_user</username>
<password>xyz123</password>
<database>ossecdb</database>
<type>postgresql</type>
</database_output>
</ossec_config>