2012-10-28

MySQL logging for OSSec

From their website: "OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."

I use OSSec in several places. In my home lab and on my web servers (hosted elsewhere) for starters. While OSSec alone can't take the place of an enterprise-grade SIEM, the HIDS component can work well with them. If you're running a relatively small shop on a limited budget, it might be good enough, especially if you're willing to invest some time into tinkering.

I thought it'd be easier to report on OSSec's alerts if it were somehow able to store them in a database. As it turns out, OSSec can be made to log much of its information to either MySQL or PostgreSQL, but the documentation is a bit spread out and hard to follow.

First things first, you'll have to (re)compile OSSec, and and you'll need the MySQL bits and pieces for both OSSec MySQL connector as well as a working MySQL server, assuming you want MySQL to work locally with the OSSec server. So make sure you have all the packages you'll need:

sudo apt-get install build-essential libmysqlclient-dev mysql-server

Fetch the OSSec source code and extract it. http://www.ossec.net/

On Ubuntu 12.04 LTS and with OSSec 2.6.0, I had to apply this patch: http://pastebin.com/Pg3pDtr0 - It changes one line in a single Makefile, but it wouldn't compile properly otherwise.

In the "src" directory of the OSSec source code, run "make setdb" and if the proper libraries are installed, you should see something like this:

Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.

Before you install OSSec, you need to create the database, add a MySQL user for OSSec to use, and import the schema.  You can change the username and password below to suit, obviously.

mysql -uroot -p[password]
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD('53Cr37p4ss');
mysql> flush privileges;

  
cd src/os_dbd (in the OSSec source code directory)
mysql ossec -uossec -p53Cr37p4ss < mysql.schema


Go back to the OSSec source code base directory, and run install.sh (as root or with sudo) - Your options will vary, but the defaults are usually sane. 

Once OSSec is installed, you need to add the following snippet to the end of ossec.conf (usually in /var/ossec/etc) - Remember to make sure you edit this to reflect your actual database information.

<ossec_config>
    <database_output>
        <hostname>localhost</hostname>
        <username>ossec</username>
        <password>53Cr37p4ss</password>
        <database>ossec</database>
        <type>mysql</type>
    </database_output>
</ossec_config>
 
  

  
To enable the ossec-dbd database logging, you must run /var/ossec/bin/ossec-control enable database

Restart ossec (/etc/init.d/ossec restart) and you should be good to go. On my installation, OSSec immediately begun populating the "signatures" table, and after a short while, alerts were logging to the "alert" and "data" tables. 

My next step is to generate some scheduled email summary reports, but all in all, having logs in a database will certainly make poring through them a much easier task.