Is it supposed to update the mysql database in realtime?  The only time I
see data in the alert table updated is when I restart the ossec service.
When I restart the service it looks like it adds 20 rows each time.

-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED] On
Behalf Of Daniel Cid
Sent: Sunday, November 04, 2007 9:13 PM
To: [email protected]
Subject: [ossec-list] Re: v 1.4


Hi Herb,

Every alert is sent to the database, including integrity checking
events. A quick SQL to get
all files that were changed is (for postgresql):

>SELECT to_timestamp(timestamp), rule_id, location.name, full_log FROM
alert,location, data WHERE location.id = alert.location_id AND data.id
= alert.id AND data.server_id = alert.server_id AND (rule_id = 550 OR
rule_id = 551 OR rule_id = 552 OR rule_id = 553);

2007-08-28 00:14:29-03 |     550 | (esqueleto) 192.168.2.99->syscheck
|
 Integrity checksum changed for: `/etc/postgresql/8.1/main/pg_hba.conf`
 2007-08-28 00:14:35-03 |     550 | (esqueleto) 192.168.2.99->syscheck
|
 Integrity checksum changed for: `/etc/postgresql/8.1/main/postgresql.conf`
 2007-08-28 21:47:41-03 |     550 | (esqueleto) 192.168.2.99->syscheck
|
 Integrity checksum changed for: `/var/ossec/etc/internal_options.conf`
 2007-08-29 22:23:49-03 |     551 | (esqueleto) 192.168.2.99->syscheck
|
 Integrity checksum changed for: `/var/ossec/etc/ossec.conf`
 2007-08-30 06:31:43-03 |     550 | (winhome) 192.168.2.190->syscheck
|
 Integrity checksum changed for: `C:WINDOWS/system32/drivers/etc/hosts`


*for MySQL it would be something like:

>SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location,
INET_NTOA(src_ip) srcip, full_log FROM alert,location, data WHERE
location.id = alert.location_id AND data.id = alert.id AND
data.server_id = alert.server_id AND rule_id = 550;


Hope it helps.


--
Daniel B. Cid
dcid ( at ) ossec.net

On Oct 30, 2007 5:45 PM, Herb Steck <[EMAIL PROTECTED]> wrote:
>
>
>
>
> I'm glad to see that Ossec is finally able to log to a mysql database.  I
do
> have a question though.  What all is sent to the database?  I am using
Ossec
> strictly for the hids capability.  But it looks like only the log alerts
> like the windows event logs or syslogs are sent to the database.
>
>
>
> What I am really looking for is to be able to create a report of files
that
> have changed on each host within the past 24 hours, past week, past 30
days,
> etc.  Was hoping I could pull this information out of the database.  Is
this
> data being sent or is it still in the flat log files?
>
>
>
> Thanks


Reply via email to