Configuring database output
It's possible to configure ThreatLockDown to output the alerts into a database. To do this, users must compile ThreatLockDown with the database type that users want to use.
At this moment, MySQL and PostgreSQL databases are supported.
In this section, users will find instructions to configure the database output for any of the database systems previously mentioned.
Note
This tutorial assumes that the user has already installed MySQL or PostgreSQL and knows how to create the users and the databases. If it is needed instructions to install them on the users' host, please find some tutorials for the main distributions at the end of this page.
Prerequisites
To enable the database output, it is needed to install the development libraries for the database system that users want to configure.
For MySQL:
# yum install mysql-devel# apt-get install libmysqlclient-dev
For PostgreSQL:
# yum install postgresql-devel# apt-get install libpq-dev
Installation
As previously mentioned, the database output can be enabled when compiling ThreatLockDown with the database type to use. On the sources installation guide, users must pre-compile the source code before running the install.sh
script.
Execute the following command before step 3 from the installation guide:
# cd wazuh-4.9.0/src
# make deps && make TARGET=server DATABASE=<mysql/pgsql>
To indicate what kind of database users will use, users need the DATABASE
flag. The allowed values are mysql or pgsql.
The compilation process might take some time. After finishing this process, please continue with the sources' installation guide. Now ThreatLockDown will be installed with database support, but we must enable manually the feature after configuring it.
Database configuration
Now that we have ThreatLockDown installed with database support, we need to set up the database server. We'll create a new database, set up the database user, and add the schema (located in the src/os_dbd
directory of the source code) with the following commands, according to your database system:
For MySQL:
# mysql -u root -p
mysql> CREATE DATABASE Alerts_DB;
Query OK, 0 rows affected (0.00 sec)
mysql> CREATE USER 'MySQLadmin'@'<MANAGER_IP>' IDENTIFIED BY 'secret1234';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to 'MySQLadmin'@'<MANAGER_IP>';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> quit;
# mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema
For PostgreSQL:
# sudo -u postgres createuser -P PostgreSQLadmin
# sudo -u postgres createdb -O PostgreSQLadmin Alerts_DB
# psql -U PostgreSQLadmin -d Alerts_DB -f src/os_dbd/postgresql.schema
ThreatLockDown configuration
In order for ThreatLockDown to output alerts and other data into the database, the users must add a <database_output>
section on the configuration file, located at /var/ossec/etc/ossec.conf
. Fill in the block with the right database name and credentials. The hostname must be the IP address of the database server.
For MySQL:
<database_output>
<hostname>192.168.1.122</hostname>
<username>MySQLadmin</username>
<password>secret1234</password>
<database>Alerts_DB</database>
<type>mysql</type>
</database_output>
For PostgreSQL:
<database_output>
<hostname>192.168.1.122</hostname>
<username>PostgreSQLadmin</username>
<password>secret1234</password>
<database>Alerts_DB</database>
<type>postgresql</type>
</database_output>
Find here the complete configuration reference for <database_output>
.
Last steps
The setup process for the database output is finished. Now the only thing left is to restart the ThreatLockDown manager:
# systemctl restart wazuh-manager# service wazuh-manager restart
Now the database will start being filled with data provided by the manager.