1. Before we install ossec, we want to recomple it, so it will support
databases.
1. Install mysql dev libraries: *apt-get install libmysqlclient-dev*
Do i require to install the same, if yes then how should i do the same.
below is the steps which i am following the same to setting up
1. Download ossec:
*wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
<http://www.ossec.net/files/ossec-hids-latest.tar.gz> ------------
completed*
2. Unzip ossec: *tar zxvf ossec-hids-latest.tar.gz -
-------------completed*
3. Before we install ossec, we want to recomple it, so it will support
databases.
1. Install mysql dev libraries: *apt-get install libmysqlclient-dev*
2. Go into the ossec-hids-2.5.1/src directory
3. Run: *make setdb*
4. It should say : “info: Compiled with MySql support”
5. Go back one directory
6. Install ossec by: *./install.sh*
1. Choose kind of installation: *server*
2. Accept all other defaults (and make sure you leave the defaut [y]
for enable remote syslog
3. Let’s create a database in mysql and useraccount:
1. Run *mysql* (or *mysql –p* if you set a password for the root
account on mysql)
2. Create a database: *create database ossec;*
3. Create useracount;* create user ‘ossecuser’@’localhost’ identified
by ‘password_you_want_to_use’;*
4. Set privileges:* grant all privileges on ossec.* to
‘ossecuser’@'localhost’;*
5. Exit out of mysql by typing:* exit*
6. Get the mysql schema: *wget
http://www.ossec.net/files/other/mysql.schema*
7. Add the schema to the database: *mysql -p ossec < mysql.schema*
4. We now can configure ossec to use mysql. Edit the ossec conf file:
*nano
/var/ossec/etc/ossec.conf*
5. After </global> add:
*<database_output><hostname>127.0.0.1</hostname><username>ossecuser</username><password>ossecpassword</password><database>ossec</database><type>mysql</type></database_output>*
6. Save the file by pressing control-X
7. Run the command: */var/ossec/bin/ossec-control enable database*
8. Restart ossec:
* /var/ossec/bin/ossec-control restart*If things went well the database
loggin should no be started. You can check this with the command:
*grep ossec-dbd /var/ossec/logs/ossec.log*It should return:
*ossec-dbd: Connected to database ‘ossec’ at ’127.0.0.1′.ossec-dbd: INFO:
Started (pid: 9721).*
9. Let’s disable “active-response”. Ossec can execute commands based
on certain alarms. I found with using ‘agentless remote syslog’, that this
does not work. When an ESX server is attacked, it will block traffic of the
Ossec server, not the actual ESX server.
10. To disable active response, edit the file */var/ossec/etc/ossec.con*
11. Find the section “<active-response>”
12. Add within the <active-response> segment the following line:
*<disabled>yes</disabled>*
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
