Re: [ossec-list] Wazuh install and mysql
Well I did some more googleing and figured out my problem. I had to delete all the agents and reinitialize them on the server and copy the new keys over to each agent via: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#the-communication-between-my-agent-and-the-server-is-not-working-what-to-do Thank you guys for listening to my newbeeness. Sean On Tuesday, December 13, 2016 at 2:50:45 PM UTC-7, Sean Roe wrote: > > Hi, > > I started over with the ossec-hids-2.8.3-3. I have been able to get the > database working correctly, but I think my agents are messed up. I ran the > ossec batch manager to recreate the keys and I > ran /var/ossec/bin/manage_agents -i new key on each of the servers I want > to monitor. I have restarted the ossec processes on both the clients and > the ossec server but I dont seem to be getting any connections from the > clients. on the client side I see: > > 2016/12/13 14:39:29 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.xx.xx.71'. > 2016/12/13 14:39:31 ossec-agentd: INFO: Trying to connect to server > (10.xx.xx.71:1514). > 2016/12/13 14:39:31 ossec-agentd: INFO: Using IPv4 for: 10.xx.xx.71 . > > And I am not seeing any connections on the server side, but I see the port > is open: > > [root@OSSEC ossec]# netstat -an | grep 1514 > udp0 0 0.0.0.0:15140.0.0.0:* > > I checked with our network guy to see if there is a problem there and he > confirmed that we arent blocking the port or anything. > > Sean > > > On Monday, December 12, 2016 at 5:37:10 PM UTC-7, jose wrote: >> >> Hi Sean, >> >> What rpm are you using? wazuh-manager-1.1.1-3 or ossec-hids-2.8.3-3? >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On December 12, 2016 at 5:25:41 PM, Sean Roe (sea...@gmail.com) wrote: >> >> Hi all, >> >> I have installed the ossec server using the Wazuh rpms and it is running >> well. I have 20 servers sending data too it and they are working great. I >> would like to write the data out to a mysql database and was wondering what >> the right procedure would be. Do I uninstall the rpm first then compile >> from source? Or is the an option to enable the database from the rpm >> install? The reason I would like this is to use the old web gui so I can >> show the management types "Look we can see quickly what has changed and >> when". I eventually want to integrate with our splunk server but this >> seemed like a nice way to show filesystem changes quickly. >> >> Thanks, >> Sean >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Wazuh install and mysql
Hi, I started over with the ossec-hids-2.8.3-3. I have been able to get the database working correctly, but I think my agents are messed up. I ran the ossec batch manager to recreate the keys and I ran /var/ossec/bin/manage_agents -i new key on each of the servers I want to monitor. I have restarted the ossec processes on both the clients and the ossec server but I dont seem to be getting any connections from the clients. on the client side I see: 2016/12/13 14:39:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.xx.xx.71'. 2016/12/13 14:39:31 ossec-agentd: INFO: Trying to connect to server (10.xx.xx.71:1514). 2016/12/13 14:39:31 ossec-agentd: INFO: Using IPv4 for: 10.xx.xx.71 . And I am not seeing any connections on the server side, but I see the port is open: [root@OSSEC ossec]# netstat -an | grep 1514 udp0 0 0.0.0.0:15140.0.0.0:* I checked with our network guy to see if there is a problem there and he confirmed that we arent blocking the port or anything. Sean On Monday, December 12, 2016 at 5:37:10 PM UTC-7, jose wrote: > > Hi Sean, > > What rpm are you using? wazuh-manager-1.1.1-3 or ossec-hids-2.8.3-3? > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > jo...@wazuh.com > > On December 12, 2016 at 5:25:41 PM, Sean Roe (sea...@gmail.com > ) wrote: > > Hi all, > > I have installed the ossec server using the Wazuh rpms and it is running > well. I have 20 servers sending data too it and they are working great. I > would like to write the data out to a mysql database and was wondering what > the right procedure would be. Do I uninstall the rpm first then compile > from source? Or is the an option to enable the database from the rpm > install? The reason I would like this is to use the old web gui so I can > show the management types "Look we can see quickly what has changed and > when". I eventually want to integrate with our splunk server but this > seemed like a nice way to show filesystem changes quickly. > > Thanks, > Sean > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Does Ossec support MariaDB?
Right, yes. That was the part that I forgot. I installed mariadb but not mariadb-devel. Now it compiles without errors. Thank you! Natassia On Tuesday, December 13, 2016 at 4:20:44 AM UTC-8, Eero Volotinen wrote: > What Linux distribution you are using? > > you should install needed maria-db -devel libraries or mysql-devel > libraries. > > Eero > > 2015-09-19 17:42 GMT+03:00 Kai Chung Lau > >: > >> I know Ossec supports PostgreSql and Mysql, but since MariaDb is the >> drop-in replacement for Mysql, can Ossec also work with Mariadb? >> >> I have tried recompiling Ossec but it doesn't work. >> [root@ju src]# make setdb; >> >> Error: PostgreSQL client libraries not installed. >> >> Error: DB libraries not installed. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] remoted Dropping Events
On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker wrote: > Victor, > > I'm at the point where my agents all have valid keys, so I'm unsure as to > why I have ~ 750 clients and only ~225 are reported as "active" at any one > time (all of the machines are alive and well, and generating mountains of > log data :)). I wanted to give tcp communication a shot, but it appears > that isn't valid within the client tag: > > 2016/12/13 09:05:49 ossec-config(1230): ERROR: Invalid element in the > configuration: 'protocol'. > > 2016/12/13 09:05:49 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > 2016/12/13 09:05:49 ossec-agentd(1215): ERROR: No client configured. > Exiting. > > > The documentation also doesn't make it appear that is an option > there: > > http://ossec.github.io/docs/syntax/head_ossec_config.client.html > I believe that's a wazuh extension. > > Is there something I am missing? > > > > On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: >> >> Hi, >> >> Agents should send a keepalive each 10 minutes (600 seconds) by default, >> and this should be enough. But you can go down that time at the agent's >> ossec.conf: >> >> >> >> >> 1.2.3.4 >> 60 >> >> >> >> If you see any agent disconnected, check its ossec.log file. >> >> On the other hand, as Dan says, the manager will discard two identical >> consecutive messages, so you should generate different messages for the logs >> (using a random string or the date). >> >> If you think that there could be network congestion, you may try to >> connect using TCP, adding, at the agent's ossec.conf: >> >> >> >> 1.2.3.4 >> tcp >> >> >> And, on the manager's ossec.conf: >> >> >> >> secure >> tcp >> >> >> >> Please test it and write back to us if this doesn't solve the problem. All >> feedback is welcome. >> >> Hope it helps. >> Best regards. >> >> >> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>> >>> >>> >>> On Dec 8, 2016 4:41 PM, "Chris Decker" wrote: >>> >>> All, >>> >>> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned >>> from GitHub) that has about 1k active hosts. I've noticed recently that >>> hosts are flipping back and forth between Active and Disconnected. >>> >>> >>> Perhaps the manager is too busy? I can't remember the host limit offhand, >>> but I believe ossec limits the number of agents to a number smaller than >>> 1000. >>> >>> >>> I've also noticed that not all of the log messages from "Active" hosts >>> are being received by the Manager. For example, I have an agent that >>> generates the same log message every second. I have debug enabled on the >>> Agent and I can see logcollector reading each message, but only some of the >>> messages are received on the Manager (I monitored it for awhile and it's not >>> that the messages show up later due to network congestion--I don't see the >>> messages ever being received). I tried disabling the agent ID checks on >>> both the Manager and Agent but that didn't have any impact. >>> >>> >>> Ossec will discard some repeated messages. I forget the timeframe offhand >>> though. >>> >>> >>> >>> I suspect there is a misconfiguration or limit I am running into on my >>> Manager running RHEL 7, but I haven't been able to track it down. I did a >>> simple netcat test between the same two hosts and there was no lag in >>> transmissions. >>> >>> Any suggestions/thoughts from the community? >>> >>> >>> >>> >>> Thanks, >>> Chris >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Non standard use case
Cliftyman, Have you looked into precompiled OSSEC agents to install on the hosts that you say you can't install OSSEC agent on? You can build a VM that has the needed modules to build the agent and then build the OSSEC agent and install it on the system that doesn't have the make and gcc on them. Most of the deployments that I have done for OSSEC agents are done this way so we aren't installing make and gcc on them. http://ossec-docs.readthedocs.io/en/latest/manual/installation/installation-binary.html On Mon, Dec 12, 2016 at 4:01 PM, Cliftyman wrote: > I have about 30 hosts that I cannot install the OSSEC agent directly on. > This is due to dependencies on old turn key servers. Many of these servers > don't have make, gcc on them and I can't put them on there (or maybe I just > don't have the know how to get them on without breaking anything). I've > attempted to use RPMs but I still have dependency issues and considering > these servers don't have direct internet access it makes it very hard to > resolved dependencies. > > Anyway... > > I've forwarded the auth logs from these systems to a SYSLOG-NG server that > I built and I have an OSSEC agent running on this server. I include the > log path in the config and my OSSEC agent on the syslog server watches the > logs just as it would if it were installed locally on the remote machine. > I essentially have syscheck running on the remote machine (At least for > auth). > > The problem is everytime I get an alert it comes from the logserver. This > means I can't forward these alerts very easily using the global alerts > config. I also send my alerts to Splunk and it blows up my dashboard > because my logserver has the bulk of the traffic and alerts. > > I'm wondering if there is anyway to use OSSEC properly in this use case... > I don't really think agentless works as well since its only doing file > integrity checks. I've kind of gotten spoiled to seeing syscheck running > on these logs, I just need to find a way to make alerts appear as though > they are coming from the originating log instead of the syslog server the > logs are on? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Registered Linux User # 379282 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] remoted Dropping Events
Victor, I'm at the point where my agents all have valid keys, so I'm unsure as to why I have ~ 750 clients and only ~225 are reported as "active" at any one time (all of the machines are alive and well, and generating mountains of log data :)). I wanted to give tcp communication a shot, but it appears that isn't valid within the client tag: 2016/12/13 09:05:49 ossec-config(1230): ERROR: Invalid element in the configuration: 'protocol'. 2016/12/13 09:05:49 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2016/12/13 09:05:49 ossec-agentd(1215): ERROR: No client configured. Exiting. The documentation also doesn't make it appear that is an option there: http://ossec.github.io/docs/syntax/head_ossec_config.client.html Is there something I am missing? On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time at the agent's > ossec.conf: > > > > > 1.2.3.4 > *60* > > > > If you see any agent disconnected, check its ossec.log file. > > On the other hand, as Dan says, the manager will discard two identical > consecutive messages, so you should generate different messages for the > logs (using a random string or the date). > > If you think that there could be network congestion, you may try to > connect using TCP, adding, at the agent's ossec.conf: > > > > 1.2.3.4 > *tcp* > > > And, on the manager's ossec.conf: > > > > secure > *tcp* > > > > Please test it and write back to us if this doesn't solve the problem. All > feedback is welcome. > > Hope it helps. > Best regards. > > > On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Dec 8, 2016 4:41 PM, "Chris Decker" wrote: >> >> All, >> >> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned >> from GitHub) that has about 1k active hosts. I've noticed recently that >> hosts are flipping back and forth between *Active* and *Disconnected*. >> >> >> Perhaps the manager is too busy? I can't remember the host limit offhand, >> but I believe ossec limits the number of agents to a number smaller than >> 1000. >> >> >> I've also noticed that not all of the log messages from "*Active" *hosts >> are being received by the Manager. For example, I have an agent that >> generates the same log message every second. I have debug enabled on the >> Agent and I can see logcollector reading each message, but only *some* >> of the messages are received on the Manager (I monitored it for awhile and >> it's not that the messages show up later due to network congestion--I don't >> see the messages ever being received). I tried disabling the agent ID >> checks on both the Manager and Agent but that didn't have any impact. >> >> >> Ossec will discard some repeated messages. I forget the timeframe offhand >> though. >> >> >> >> I suspect there is a misconfiguration or limit I am running into on my >> Manager running RHEL 7, but I haven't been able to track it down. I did a >> simple netcat test between the same two hosts and there was no lag in >> transmissions. >> >> Any suggestions/thoughts from the community? >> >> >> >> >> Thanks, >> Chris >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Does Ossec support MariaDB?
On Mon, Dec 12, 2016 at 7:35 PM, wrote: > Hi, > > There hasn't been any action on this topic for over a year but it was never > answered and I'm running into the same issue. What libraries is it looking > for? Is there somewhere that I can look at, possibly edit the list? Why > does it look for particular libraries, couldn't I just specify the type of > database (MySQL or PostgreSql) that I want to use? > I just did a quick test with mariadb and ossec MASTER, and it seems to work just fine. I didn't do extensive testing though. root@maria-test:~/src/ossec-hids/src# dpkg --list | grep maria ii libmariadbclient-dev 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database development files ii libmariadbclient18:amd64 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database client library ii mariadb-client 5.5.53-1ubuntu0.14.04.1 all MariaDB database client (metapackage depending on the latest version) ii mariadb-client-5.5 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database client binaries ii mariadb-client-core-5.5 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database core client binaries ii mariadb-common 5.5.53-1ubuntu0.14.04.1 all MariaDB common metapackage ii mariadb-server 5.5.53-1ubuntu0.14.04.1 all MariaDB database server (metapackage depending on the latest version) ii mariadb-server-5.5 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database server binaries ii mariadb-server-core-5.5 5.5.53-1ubuntu0.14.04.1 amd64MariaDB database core server files A lot of the necessary bits should be in the Makefile after "ifdef DATABASE." > Natassia > > On Tuesday, September 22, 2015 at 7:24:08 PM UTC-7, dan (ddpbsd) wrote: >> >> On Sat, Sep 19, 2015 at 10:42 AM, Kai Chung Lau >> wrote: >> > I know Ossec supports PostgreSql and Mysql, but since MariaDb is the >> > drop-in >> > replacement for Mysql, can Ossec also work with Mariadb? >> > >> > I have tried recompiling Ossec but it doesn't work. >> > [root@ju src]# make setdb; >> > >> > Error: PostgreSQL client libraries not installed. >> > >> > Error: DB libraries not installed. >> > >> >> Perhaps your distro is putting things in places OSSEC doesn't expect? >> You're not giving us much to go on. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Does Ossec support MariaDB?
What Linux distribution you are using? you should install needed maria-db -devel libraries or mysql-devel libraries. Eero 2015-09-19 17:42 GMT+03:00 Kai Chung Lau : > I know Ossec supports PostgreSql and Mysql, but since MariaDb is the > drop-in replacement for Mysql, can Ossec also work with Mariadb? > > I have tried recompiling Ossec but it doesn't work. > [root@ju src]# make setdb; > > Error: PostgreSQL client libraries not installed. > > Error: DB libraries not installed. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Email Alerts on Google Compute Instances
How about using local postfix for smarthost and configuring relay with it? -- Eero 2016-12-13 13:37 GMT+02:00 flippery_fish : > Hi, > > Google Compute Engine does not allow outbound connections on ports 25, > 465, and 587. > > As recommended by GCE, I have setup mailjet on 2525 which works fine for > outbound mail relay. > > Is there a way to send the OSSEC email notifications to send on specific > port (i.e. in.mailjet.com:2525 in my case)? > > If not, is there a workaround? Of course i could do something like write > the OSEC notifications to json file, parse that and send manually, but was > hoping to avoid doing that. > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Email Alerts on Google Compute Instances
OK, typical i find an answer just as i post, seems modifying sendmail.c is one option that will work for me, albeit need to be aware for upgrades. Would be good if an option to specify a port could be rolled into a future version. On Tuesday, December 13, 2016 at 11:40:23 AM UTC, flippery_fish wrote: > > Hi, > > Google Compute Engine does not allow outbound connections on ports 25, > 465, and 587. > > As recommended by GCE, I have setup mailjet on 2525 which works fine for > outbound mail relay. > > Is there a way to send the OSSEC email notifications to send on specific > port (i.e. in.mailjet.com:2525 in my case)? > > If not, is there a workaround? Of course i could do something like write > the OSEC notifications to json file, parse that and send manually, but was > hoping to avoid doing that. > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Email Alerts on Google Compute Instances
On Tue, Dec 13, 2016 at 6:37 AM, flippery_fish wrote: > Hi, > > Google Compute Engine does not allow outbound connections on ports 25, 465, > and 587. > > As recommended by GCE, I have setup mailjet on 2525 which works fine for > outbound mail relay. > > Is there a way to send the OSSEC email notifications to send on specific > port (i.e. in.mailjet.com:2525 in my case)? > > If not, is there a workaround? Of course i could do something like write > the OSEC notifications to json file, parse that and send manually, but was > hoping to avoid doing that. > Modify the source and recompile. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Email Alerts on Google Compute Instances
Hi, Google Compute Engine does not allow outbound connections on ports 25, 465, and 587. As recommended by GCE, I have setup mailjet on 2525 which works fine for outbound mail relay. Is there a way to send the OSSEC email notifications to send on specific port (i.e. in.mailjet.com:2525 in my case)? If not, is there a workaround? Of course i could do something like write the OSEC notifications to json file, parse that and send manually, but was hoping to avoid doing that. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Does Ossec support MariaDB?
Hi, I have not used databases in OSSEC, but you can choose the type in the configuration: 192.168.2.30 ossecuser ossecpass ossec mysql In order to use databases, you must compile OSSEC with database support: # cd ossec-hids-* # cd src; make setdb; cd .. # ./install.sh # /var/ossec/bin/ossec-control enable database Also, you can do it with: # make TARGET=server DATABASE=mysql install Documentation: http://ossec-docs.readthedocs.io/en/latest/manual/output/database-output.html http://ossec-docs.readthedocs.io/en/latest/manual/output/mysql-database-output.html http://ossec-docs.readthedocs.io/en/latest/manual/output/pgsql-database-outout.html I hope it helps. Regards. On Tuesday, December 13, 2016 at 1:35:40 AM UTC+1, ste...@uw.edu wrote: > > Hi, > > There hasn't been any action on this topic for over a year but it was > never answered and I'm running into the same issue. What libraries is it > looking for? Is there somewhere that I can look at, possibly edit the > list? Why does it look for particular libraries, couldn't I just specify > the type of database (MySQL or PostgreSql) that I want to use? > > Natassia > > On Tuesday, September 22, 2015 at 7:24:08 PM UTC-7, dan (ddpbsd) wrote: > >> On Sat, Sep 19, 2015 at 10:42 AM, Kai Chung Lau >> wrote: >> > I know Ossec supports PostgreSql and Mysql, but since MariaDb is the >> drop-in >> > replacement for Mysql, can Ossec also work with Mariadb? >> > >> > I have tried recompiling Ossec but it doesn't work. >> > [root@ju src]# make setdb; >> > >> > Error: PostgreSQL client libraries not installed. >> > >> > Error: DB libraries not installed. >> > >> >> Perhaps your distro is putting things in places OSSEC doesn't expect? >> You're not giving us much to go on. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
