Configuring database output

It's possible to configure Wazuh to output the alerts into a database. To do this, users must compile Wazuh with the database type that users want to use.

At this moment, MySQL and PostgreSQL databases are supported.

In this section, users will find instructions to configure the database output for any of the database systems previously mentioned.

Note

This tutorial assumes that the user has already installed MySQL or PostgreSQL and knows how to create the users and the databases. If it is needed instructions to install them on the users' host, please find some tutorials for the main distributions at the end of this page.

Prerequisites

To enable the database output, it is needed to install the development libraries for the database system that users want to configure.

  1. For MySQL:

# yum install mysql-devel
  1. For PostgreSQL:

# yum install postgresql-devel

Installation

As previously mentioned, the database output can be enabled when compiling Wazuh with the database type to use. On the sources installation guide, users must pre-compile the source code before running the install.sh script.

Execute the following command before step 3 from the installation guide:

# cd wazuh-4.7.5/src
# make deps && make TARGET=server DATABASE=<mysql/pgsql>

To indicate what kind of database users will use, users need the DATABASE flag. The allowed values are mysql or pgsql.

The compilation process might take some time. After finishing this process, please continue with the sources' installation guide. Now Wazuh will be installed with database support, but we must enable manually the feature after configuring it.

Database configuration

Now that we have Wazuh installed with database support, we need to set up the database server. We'll create a new database, set up the database user, and add the schema (located in the src/os_dbd directory of the source code) with the following commands, according to your database system:

For MySQL:

# mysql -u root -p
mysql> CREATE DATABASE Alerts_DB;
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER 'MySQLadmin'@'<MANAGER_IP>' IDENTIFIED BY 'secret1234';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on Alerts_DB.* to 'MySQLadmin'@'<MANAGER_IP>';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit;
# mysql -u root -p Alerts_DB < src/os_dbd/mysql.schema

For PostgreSQL:

# sudo -u postgres createuser -P PostgreSQLadmin

# sudo -u postgres createdb -O PostgreSQLadmin Alerts_DB

# psql -U PostgreSQLadmin -d Alerts_DB -f src/os_dbd/postgresql.schema

Wazuh configuration

In order for Wazuh to output alerts and other data into the database, the users must add a <database_output> section on the configuration file, located at /var/ossec/etc/ossec.conf. Fill in the block with the right database name and credentials. The hostname must be the IP address of the database server.

For MySQL:

<database_output>
  <hostname>192.168.1.122</hostname>
  <username>MySQLadmin</username>
  <password>secret1234</password>
  <database>Alerts_DB</database>
  <type>mysql</type>
</database_output>

For PostgreSQL:

<database_output>
  <hostname>192.168.1.122</hostname>
  <username>PostgreSQLadmin</username>
  <password>secret1234</password>
  <database>Alerts_DB</database>
  <type>postgresql</type>
</database_output>

Find here the complete configuration reference for <database_output>.

Last steps

The setup process for the database output is finished. Now the only thing left is to restart the Wazuh manager:

# systemctl restart wazuh-manager

Now the database will start being filled with data provided by the manager.