I have installed OSSEC with the Puppet module provided by Wazuh. With this module I have set up a server with a couple of agents setup and I have enabled MySQL support.
The problem is that the alert table is missing a lot of records after running OSSEC for a few weeks. The tables category, data, location, server signature and signature_category_mapping are getting information. So I assume the connection with MySQL is working correct. In the records that did show up in the database, the fields level, user and full_log are empty. I expected that all the information that is in /var/ossec/logs/alerts/alerts.log should also show up in the MySQL table. On the server, the file /var/ossec/logs/alerts/alerts.log is showing alerts of all the agents. There are multiple alerts every minute. /var/ossec/logs/ossec.log is only showing messages about files the system cannot find. Any tips on what is going wrong? OSSEC version: OSSEC HIDS v2.8.3 MySQL version: 5.7.17 Ubuntu: Ubuntu 16.04 server The ossec.conf on the server looks like this: <ossec_config> <global> <email_notification>yes</email_notification> <email_to>os...@maildomain.tld</email_to> <smtp_server>127.0.0.1</smtp_server> <email_from>os...@maildomain.tld</email_from> <email_maxperhour>1</email_maxperhour> <stats>8</stats> <host_information>8</host_information> </global> <!-- Included rules (static) --> <rules> <include>rules_config.xml</include> ... </rules> <!-- Most of these rules are defined in the shared agent config --> <syscheck> <!-- Frequency that syscheck is executed --> <frequency>79200</frequency> <alert_new_files>yes</alert_new_files> <auto_ignore>yes</auto_ignore> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes" report_changes="no" realtime="no">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes" report_changes="yes" realtime="yes">/bin,/sbin</directories> <!-- Files/directories to ignore (parameterized) --> </syscheck> <active-response> <disabled>yes</disabled> </active-response> <remote> <connection>secure</connection> </remote> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>11</email_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile> ... <database_output> <hostname>127.0.0.1</hostname> <username>ossec</username> <password>correct_password</password> <database>ossec</database> <type>mysql</type> </database_output> </ossec_config> Table structure: CREATE TABLE `alert` ( `id` int(10) UNSIGNED NOT NULL, `server_id` smallint(5) UNSIGNED NOT NULL, `rule_id` mediumint(8) UNSIGNED NOT NULL, `level` tinyint(3) UNSIGNED DEFAULT NULL, `timestamp` int(10) UNSIGNED NOT NULL, `location_id` smallint(5) UNSIGNED NOT NULL, `src_ip` varchar(46) DEFAULT NULL, `dst_ip` varchar(46) DEFAULT NULL, `src_port` smallint(5) UNSIGNED DEFAULT NULL, `dst_port` smallint(5) UNSIGNED DEFAULT NULL, `alertid` varchar(30) DEFAULT NULL, `user` text, `full_log` text, `is_hidden` tinyint(4) NOT NULL DEFAULT '0', `tld` varchar(5) NOT NULL DEFAULT '' ) ENGINE=InnoDB DEFAULT CHARSET=utf8; ALTER TABLE `alert` ADD PRIMARY KEY (`id`,`server_id`), ADD KEY `alertid` (`alertid`), ADD KEY `level` (`level`), ADD KEY `time` (`timestamp`), ADD KEY `rule_id` (`rule_id`), ADD KEY `src_ip` (`src_ip`), ADD KEY `tld` (`tld`); ALTER TABLE `alert` MODIFY `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT; -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.