Install the coolest of all AnaLogi OSSEC web user interface on CentOS, RHEL, Debian, Ubuntu

Overview

OSSEC is a great IDS tool but you would agree that the alerts needs to be presented in a nice and cleaner way, however the default ossecwui just does not cut it. Some other IDS systems like snort and sagan have some of the very nice looking interfaces like snorby. Many system administrators struggle with ossec as the default interface is not very informative and is dead plain simple. Luckily someone thought about it and came up with AnaLogi, thanks to Andy the guy behind the project.

Install the coolest of all AnaLogi OSSEC web user interface on CentOS, RHEL, Debian, Ubuntu

First to use AnaLogi the alerts need to be pushed to a database instead of ossec just writing them to a file. This step is very simple, even if you have a working setup or is just starting a fresh install, first you have to decide the type of database you gonna use. Currently ossec supports mysql and postgresql. This post assumes you will use mysql, for postgresql just install postgersql libraries and database packages instead of mysql.

On Debian, Ubuntu system


$ sudo su -
# apt-get install mysql-server build-essential libmysqlclient15-dev

On CentOS/RHEL, Fedora


# yum install mysql-devel mysql-server mysql gcc gcc-c++ autoconf automake

Download and prepare the source for db logging


# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -zxvf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7/src
# make setdb
# cd ..

Create a new database to save ossec alerts and create a schema for it using the schema file included with the installer.


# mysql -u root -p

mysql> create database ossec;
mysql> grant all privileges on ossec.* to ossecuser identified by ossec@123;
mysql> flush privileges;
mysql> quit

# mysql -u root -p ossec < ossec-hids-2.7/src/os_dbd/mysql.schema

Execute install.sh. If ossec is already running, the script will update the binaries. The script will not change any of the settings made by you in the local conf files, however always take a backup of the ossec directory before continuing.


# ./install.sh

Next enable the database daemon and restart ossec for the changes to take effect.


# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart

Download AnaLogi wui for ossec.


# cd /var/www/
# wget https://github.com/downloads/ECSC/analogi/AnaLogi_v1.3.zip
# unzip AnaLogi_v1.3.zip
# mv ECSC-analogi-a1cd5e3 ossecui

On CentOS, RHEL


# chown apache.apache ossecui

On Debian or Ubuntu


# chown www-data.www-data ossecui

Open the db_ossec.php file


# vi /var/www/ossecui/db_ossec.php

Add the database name, user name and password created above for ossec


define ('DB_USER_O', 'ossecuser');
define ('DB_PASSWORD_O', 'ossec@123');
define ('DB_HOST_O', '127.0.0.1');
define ('DB_NAME_O', 'ossec');

Create a vhost entry
On RHEL, CentOS


# vi /etc/httpd/conf/httpd.conf

On Debian, Ubuntu


# vi /etc/apache2/sites-enabled/000-default

Append the following to it


<VirtualHost *:80>
ServerAdmin admin@linuxdrops.com
DocumentRoot /var/www/ossecui
ServerName ossec.linuxdrops.com
ErrorLog logs/ossec-err-error_log
CustomLog logs/ossec-access-access_log common
<Directory /var/www/ossecui>
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>

Restart apache
On Debian, Ubuntu


# /etc/init.d/apache2 restart

On RHEL, CentOS


# /etc/init.d/httpd restart

Point you browser to

http://ipaddress-or-domainname

Some of the screenshot below.

ossecwui02 300x176 Install the coolest of all AnaLogi OSSEC web user interface on CentOS, RHEL, Debian, Ubuntu

ossecwui01 300x176 Install the coolest of all AnaLogi OSSEC web user interface on CentOS, RHEL, Debian, Ubuntu