I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.
You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys
After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:
You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:
And at last, enable MySQL and restart the service:
Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:
It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:
You then need to rename the config file and change the SQL information
You should now be able to see information gathered from different clients straight into MySQL and using Analogi.
출처 : www.frlinux.eu