On Wed, Feb 25, 2015 at 5:33 AM, shankey <[email protected]> wrote: > > > Before we install ossec, we want to recomple it, so it will support > databases. > > Install mysql dev libraries: apt-get install libmysqlclient-dev > > Do i require to install the same, if yes then how should i do the same. >
I don't understand your question. > > below is the steps which i am following the same to setting up > > 1. Download ossec: > wget http://www.ossec.net/files/ossec-hids-latest.tar.gz ------------ > completed > > 2. Unzip ossec: tar zxvf ossec-hids-latest.tar.gz - > -------------completed > > 3. Before we install ossec, we want to recomple it, so it will support > databases. > > 1. Install mysql dev libraries: apt-get install libmysqlclient-dev > > 2. Go into the ossec-hids-2.5.1/src directory > > 3. Run: make setdb > > 4. It should say : “info: Compiled with MySql support” > > 5. Go back one directory > > 6. Install ossec by: ./install.sh > > 1. Choose kind of installation: server > > 2. Accept all other defaults (and make sure you leave the defaut [y] > for enable remote syslog > > 3. Let’s create a database in mysql and useraccount: > > 1. Run mysql (or mysql –p if you set a password for the root account on > mysql) > > 2. Create a database: create database ossec; > > 3. Create useracount; create user ‘ossecuser’@’localhost’ identified by > ‘password_you_want_to_use’; > > 4. Set privileges: grant all privileges on ossec.* to > ‘ossecuser’@'localhost’; > > 5. Exit out of mysql by typing: exit > > 6. Get the mysql schema: wget > http://www.ossec.net/files/other/mysql.schema > > 7. Add the schema to the database: mysql -p ossec < mysql.schema > > 4. We now can configure ossec to use mysql. Edit the ossec conf file: > nano /var/ossec/etc/ossec.conf > > 5. After </global> add: > <database_output> > <hostname>127.0.0.1</hostname> > <username>ossecuser</username> > <password>ossecpassword</password> > <database>ossec</database> > <type>mysql</type> > </database_output> > > 6. Save the file by pressing control-X > > 7. Run the command: /var/ossec/bin/ossec-control enable database > > 8. Restart ossec: /var/ossec/bin/ossec-control restart > If things went well the database loggin should no be started. You can check > this with the command: grep ossec-dbd /var/ossec/logs/ossec.log > It should return: > ossec-dbd: Connected to database ‘ossec’ at ’127.0.0.1′. > ossec-dbd: INFO: Started (pid: 9721). > > 9. Let’s disable “active-response”. Ossec can execute commands based on > certain alarms. I found with using ‘agentless remote syslog’, that this does > not work. When an ESX server is attacked, it will block traffic of the Ossec > server, not the actual ESX server. > > 10. To disable active response, edit the file /var/ossec/etc/ossec.con > > 11. Find the section “<active-response>” > > 12. Add within the <active-response> segment the following line: > <disabled>yes</disabled> > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
