02/10/2014
enit

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Setting up OSSEC with mySQL and AnaLogi  allows to perform log analysis, file integrity checking, policy monitoring and rootkit detection. OSSEC is an open source host-based intrusion detection system.

Running on different systems (Windows, Linux, MAC, …), collected data can be stored in a mySQL database and some reports can be displayed using the web gui AnaLogi.

 

Prerequisites

Starting from the CentOS 6.4 minimal installation, this procedure relies on three main packages:

    1. mySQL v5.x database
    2. OSSEC v2.7 log analyzer
    3. AnaLogi v1.3 ossec-wui

 

Install mySQL

Update the system and install mySQL packages and compilers.

# yum update
# yum install mysql-devel mysql-server gcc make

Setup OSSEC with mySQL and AnaLogi in CentOS 6

To work properly, SELINUX must be disabled.

# vi /etc/selinux/config

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Enable mySQL to start during system boot and start the service.

# chkconfig mysqld on
# service mysqld start

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Secure mySQL running the following command.

# /usr/bin/mysql_secure_installation

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

Install Ossec and create mySQL db

Using the command wget, download the OSSEC package and decompress the file.

# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -vxzf ossec-hids-2.7.tar.gz

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Because by default is disabled, enable mySQL in OSSEC.

# cd ossec-hids-2.7/src
# make setdb

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Create a new mySQL database to save OSSEC alerts.

# mysql -u root -p

mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD(‘password’);
mysql> flush privileges;
mysql> quit

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Import the schema for the new database from the OSSEC installation directory ossec-hids-2.7/src/os_dbd/.

# cd ossec-hids-2.7/src/os_dbd
# mysql -u root -p ossec < mysql.schema

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Now proceed with OSSEC installation executing the file install.sh.

# ./install.sh

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Hit the ENTER button to start the configuration process.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

After pressing ENTER, system compiles and install OSSEC in the computer.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If everything goes smoothly, the installation finishes without any warning or error.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If OSSEC works behind a firewall, the communication with the agent occurs through port UDP 1454.

It’s now time to set the mySQL parameters in the OSSEC configuration. Edit the file ossec.conf.

# vi /var/ossec/etc/ossec.conf

Add the following lines:

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Last step, enable mySQL and restart the service.

# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

Install AnaLogi web interface

Because AnaLogi is a web interface for OSSEC that replaced the outdated ossec-wui, we need to install Apache and PHP in our system.

# yum install httpd php php-mysql mod_ssl

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Enable Apache to start during system boot and start the service.

# chkconfig httpd on
# service httpd restart

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Because AnaLogi is stored using git repository, we need to install the git package to retrieve the files from the website.

# yum install git-core

Once installed git, download the AnaLogi package using git clone command.

# cd /var/www/html
# git clone https://github.com/ECSC/analogi.git

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Assign ownership of AnaLogi directory to user apache.

# chown apache:apache analogi -R

Rename the configuration file.

# cd /var/www/html/analogi
# mv db_ossec.php.new db_ossec.php

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Edit the db_ossec.php file and amend the SQL parameters to reflect your installation.

# vi db_ossec.php

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If you want creating a virtual host, edit the Apache configuration file and add the following lines:

# vi /etc/httpd/conf/httpd.conf

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Restart Apache.

# service httpd restart

Open your browser and type the URL address:

http://ip_address

https://ip_address/analogi

If you can see a similar screen, OSSEC server is working properly.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

The OSSEC server is now fully functional, last step to perform is the creation of agents for your clients.

 

Troubleshooting

During the time data stored in the database make the DB itself quite huge. Two files become quite big: data.MYD and alerts.MYD.

Check the files size with command:

# cd /var/lib/mysql/ossec/
# du * -h

If the size is too big, there are to steps to perform:

  1. database backup
  2. tables truncate

Once performed the backup, from the console type the command:

# mysql -u root -p

mysql> show databases;
mysql> use ossec;
mysql> truncate table data;
mysql> truncate table alerts;
mysql> quit;

Files size is now smaller.

 

Delete the integrity history and the alerts.

Stop OSSEC service:

# service ossec stop

Clear the file integrity history:

# /var/ossec/bin/syscheck_update -a

Delete all alerts removing the whole /var/ossec/logs/alerts/* directory:

# rm -rf /var/ossec/logs/alerts/*

Start OSSEC service:

# service ossec start

Setup OSSEC with mySQL and AnaLogi in CentOS 6

About Paolo Valsecchi

Sistemista Informatico | Mi occupo principalmente dell’implementazione e della gestione di servizi informatici basati su piattaforma virtuale VMware vSphere con sistemi Microsoft Windows/Active Directory e Linux (Red Hat, CentOS). VCP5-DCV, PernixPro.

4 comments

  1. Abhishek Rana

    My all configurations are correct but it is still showing an error in installation. why so??

  2. Abhishek Rana

    Its showing an errorin the last when installing OSSEC from ./install.sh

    or from step as you said in this nice post…
    “If everything goes smoothly, the installation finishes without any warning or error.”

    So, should i reinstall ?? or switch to ASL ?? :| ..

    • I installed OSSEC using this guide and he made a mistake on telling where the install.sh file is.
      before running ./install.sh you have to do this

      1. # cd ossec-hids-2.7
      2. # bash install.sh

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">