Is it supposed to update the mysql database in realtime? The only time I see data in the alert table updated is when I restart the ossec service. When I restart the service it looks like it adds 20 rows each time.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Sunday, November 04, 2007 9:13 PM To: [email protected] Subject: [ossec-list] Re: v 1.4 Hi Herb, Every alert is sent to the database, including integrity checking events. A quick SQL to get all files that were changed is (for postgresql): >SELECT to_timestamp(timestamp), rule_id, location.name, full_log FROM alert,location, data WHERE location.id = alert.location_id AND data.id = alert.id AND data.server_id = alert.server_id AND (rule_id = 550 OR rule_id = 551 OR rule_id = 552 OR rule_id = 553); 2007-08-28 00:14:29-03 | 550 | (esqueleto) 192.168.2.99->syscheck | Integrity checksum changed for: `/etc/postgresql/8.1/main/pg_hba.conf` 2007-08-28 00:14:35-03 | 550 | (esqueleto) 192.168.2.99->syscheck | Integrity checksum changed for: `/etc/postgresql/8.1/main/postgresql.conf` 2007-08-28 21:47:41-03 | 550 | (esqueleto) 192.168.2.99->syscheck | Integrity checksum changed for: `/var/ossec/etc/internal_options.conf` 2007-08-29 22:23:49-03 | 551 | (esqueleto) 192.168.2.99->syscheck | Integrity checksum changed for: `/var/ossec/etc/ossec.conf` 2007-08-30 06:31:43-03 | 550 | (winhome) 192.168.2.190->syscheck | Integrity checksum changed for: `C:WINDOWS/system32/drivers/etc/hosts` *for MySQL it would be something like: >SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location, INET_NTOA(src_ip) srcip, full_log FROM alert,location, data WHERE location.id = alert.location_id AND data.id = alert.id AND data.server_id = alert.server_id AND rule_id = 550; Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Oct 30, 2007 5:45 PM, Herb Steck <[EMAIL PROTECTED]> wrote: > > > > > I'm glad to see that Ossec is finally able to log to a mysql database. I do > have a question though. What all is sent to the database? I am using Ossec > strictly for the hids capability. But it looks like only the log alerts > like the windows event logs or syslogs are sent to the database. > > > > What I am really looking for is to be able to create a report of files that > have changed on each host within the past 24 hours, past week, past 30 days, > etc. Was hoping I could pull this information out of the database. Is this > data being sent or is it still in the flat log files? > > > > Thanks
