Overview
OSSEC is a great IDS tool but you would agree that the alerts needs to be presented in a nice and cleaner way, however the default ossecwui just does not cut it. Some other IDS systems like snort and sagan have some of the very nice looking interfaces like snorby. Many system administrators struggle with ossec as the default interface is not very informative and is dead plain simple. Luckily someone thought about it and came up with AnaLogi, thanks to Andy the guy behind the project.
Install the coolest of all AnaLogi OSSEC web user interface on CentOS, RHEL, Debian, Ubuntu
First to use AnaLogi the alerts need to be pushed to a database instead of ossec just writing them to a file. This step is very simple, even if you have a working setup or is just starting a fresh install, first you have to decide the type of database you gonna use. Currently ossec supports mysql and postgresql. This post assumes you will use mysql, for postgresql just install postgersql libraries and database packages instead of mysql.
On Debian, Ubuntu system
$ sudo su -
# apt-get install mysql-server build-essential libmysqlclient15-dev
On CentOS/RHEL, Fedora
# yum install mysql-devel mysql-server mysql gcc gcc-c++ autoconf automake
Download and prepare the source for db logging
# tar -zxvf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7/src
# make setdb
# cd ..
Create a new database to save ossec alerts and create a schema for it using the schema file included with the installer.
# mysql -u root -pmysql> grant all privileges on ossec.* to ossecuser identified by [email protected];
mysql> flush privileges;
mysql> quit
# mysql -u root -p ossec < ossec-hids-2.7/src/os_dbd/mysql.schema
Execute install.sh. If ossec is already running, the script will update the binaries. The script will not change any of the settings made by you in the local conf files, however always take a backup of the ossec directory before continuing.
# ./install.sh
Next enable the database daemon and restart ossec for the changes to take effect.
# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart
Download AnaLogi wui for ossec.
# cd /var/www/
# wget https://github.com/downloads/ECSC/analogi/AnaLogi_v1.3.zip
# unzip AnaLogi_v1.3.zip
# mv ECSC-analogi-a1cd5e3 ossecui
On CentOS, RHEL
# chown apache.apache ossecui
On Debian or Ubuntu
# chown www-data.www-data ossecui
Open the db_ossec.php file
# vi /var/www/ossecui/db_ossec.php
Add the database name, user name and password created above for ossec
define ('DB_USER_O', 'ossecuser');
define ('DB_PASSWORD_O', '[email protected]');
define ('DB_HOST_O', '127.0.0.1');
define ('DB_NAME_O', 'ossec');
Create a vhost entry
On RHEL, CentOS
# vi /etc/httpd/conf/httpd.conf
On Debian, Ubuntu
# vi /etc/apache2/sites-enabled/000-default
Append the following to it
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/ossecui
ServerName ossec.linuxdrops.com
ErrorLog logs/ossec-err-error_log
CustomLog logs/ossec-access-access_log common
<Directory /var/www/ossecui>
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
Restart apache
On Debian, Ubuntu
# /etc/init.d/apache2 restart
On RHEL, CentOS
# /etc/init.d/httpd restart
Point you browser to
http://ipaddress-or-domainname
Some of the screenshot below.
