Hi Herb, Yes, it is supposed to update the database in real time. However, there is a problem if you specify the hostname as localhost with MySQL. For some reason (beyond me), the libmysql defaults to Unix sockets instead of TCP if localhost is set. Because of that, when ossec chroots, it stops working...
If that's your problem, you have a few choices to fix this: 1-Try changing your mysql configuration to use TCP insteaf of unix sockets. Just adding the following to my.cnf should fix this: [client] port = 3306 protocol = tcp 2-Try specifying the external IP address of your server instead of 127.0.0.1 (like the ip of eth0). Just make sure that MySQL is listening in that address. 3-Create a hard link from the external MySQL socket to one inside ossec. Just make sure they are in the same partition... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Nov 6, 2007 11:08 PM, Herb Steck <[EMAIL PROTECTED]> wrote: > > Is it supposed to update the mysql database in realtime? The only time I > see data in the alert table updated is when I restart the ossec service. > When I restart the service it looks like it adds 20 rows each time. > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Cid > Sent: Sunday, November 04, 2007 9:13 PM > To: [email protected] > Subject: [ossec-list] Re: v 1.4 > > > > Hi Herb, > > Every alert is sent to the database, including integrity checking > events. A quick SQL to get > all files that were changed is (for postgresql): > > >SELECT to_timestamp(timestamp), rule_id, location.name, full_log FROM > alert,location, data WHERE location.id = alert.location_id AND data.id > = alert.id AND data.server_id = alert.server_id AND (rule_id = 550 OR > rule_id = 551 OR rule_id = 552 OR rule_id = 553); > > 2007-08-28 00:14:29-03 | 550 | (esqueleto) 192.168.2.99->syscheck > | > Integrity checksum changed for: `/etc/postgresql/8.1/main/pg_hba.conf` > 2007-08-28 00:14:35-03 | 550 | (esqueleto) 192.168.2.99->syscheck > | > Integrity checksum changed for: `/etc/postgresql/8.1/main/postgresql.conf` > 2007-08-28 21:47:41-03 | 550 | (esqueleto) 192.168.2.99->syscheck > | > Integrity checksum changed for: `/var/ossec/etc/internal_options.conf` > 2007-08-29 22:23:49-03 | 551 | (esqueleto) 192.168.2.99->syscheck > | > Integrity checksum changed for: `/var/ossec/etc/ossec.conf` > 2007-08-30 06:31:43-03 | 550 | (winhome) 192.168.2.190->syscheck > | > Integrity checksum changed for: `C:WINDOWS/system32/drivers/etc/hosts` > > > *for MySQL it would be something like: > > >SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location, > INET_NTOA(src_ip) srcip, full_log FROM alert,location, data WHERE > location.id = alert.location_id AND data.id = alert.id AND > data.server_id = alert.server_id AND rule_id = 550; > > > Hope it helps. > > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Oct 30, 2007 5:45 PM, Herb Steck <[EMAIL PROTECTED]> wrote: > > > > > > > > > > I'm glad to see that Ossec is finally able to log to a mysql database. I > do > > have a question though. What all is sent to the database? I am using > Ossec > > strictly for the hids capability. But it looks like only the log alerts > > like the windows event logs or syslogs are sent to the database. > > > > > > > > What I am really looking for is to be able to create a report of files > that > > have changed on each host within the past 24 hours, past week, past 30 > days, > > etc. Was hoping I could pull this information out of the database. Is > this > > data being sent or is it still in the flat log files? > > > > > > > > Thanks > > >
