It’s possible to configure Wazuh to output the alerts into a database. To do this, you must compile Wazuh with the database type that you want to use.
In this section, you’ll find instructions to configure the database output for any of the database systems previously mentioned.
This tutorial assumes that the user has already installed MySQL or PostgreSQL. If you need instructions to install them on your host, please find some tutorials for the main distributions at the end of this page.
To enable the database output, you must install the development libraries for the database system that you want to configure.
As previously mentioned, the database output can be enabled when compiling Wazuh with the database type to use. On the sources installation guide, you must pre-compile the source code before running the
Execute the following command before step 3 from the installation guide:
# cd wazuh-*/src # make deps && make TARGET=server DATABASE=<mysql/pgsql>
To indicate what kind of database you’ll use, you need the
DATABASE flag. The allowed values are mysql or pgsql.
The compilation process might take some time. After finishing this process, please continue with the sources installation guide. Now Wazuh will be installed with database support, but we must enable manually the feature after configuring it.
Now that we have Wazuh installed with database support, we need to set up the database server. We’ll create a new database, set up the database user and add the schema (located in the
src/os_dbd directory of the source code) with the following commands, according to your database system:
# mysql -u root -p mysql> CREATE DATABASE Alerts_DB; Query OK, 0 rows affected (0.00 sec) mysql> CREATE USER 'MySQLadmin'@'<MANAGER_IP>' IDENTIFIED BY 'secret1234'; Query OK, 0 rows affected (0.00 sec) mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to 'MySQLadmin'@'<MANAGER_IP>'; Query OK, 0 rows affected (0.00 sec) mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) mysql> quit; # mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema
# sudo -u postgres createuser -P PostgreSQLadmin # sudo -u postgres createdb -O PostgreSQLadmin Alerts_DB # psql -U PostgreSQLadmin -d Alerts_DB -f src/os_dbd/postgresql.schema
In order for Wazuh to output alerts and other data into the database, you must add a
<database_output> section on the configuration file, located at
/var/ossec/etc/ossec.conf. Fill in the block with the right database name and credentials. The hostname must be the IP address of the database server.
<database_output> <hostname>192.168.1.122</hostname> <username>MySQLadmin</username> <password>secret1234</password> <database>Alerts_DB</database> <type>mysql</type> </database_output>
<database_output> <hostname>192.168.1.122</hostname> <username>PostgreSQLadmin</username> <password>secret1234</password> <database>Alerts_DB</database> <type>postgresql</type> </database_output>
Find here the complete configuration reference for
The setup process for the database output is finished. Now the only thing left is to enable this feature on the Wazuh manager and restart it. To do so, follow these steps:
ossec-dbddaemon to activate the database output feature:
# /var/ossec/bin/ossec-control enable database
Restart the Wazuh manager:
For Systemd:# systemctl retart wazuh-manager
For SysV Init:# service wazuh-manager restart
Now the database will start being filled with data provided by the manager.
The scope of this documentation doesn’t include instructions for installing a database server, but below you can find some useful tutorials if you need to learn how to do it:
MariaDB is a community-driven version of MySQL, and it’s also valid for this tutorial.