Hi John, here a first approach:
*decoders* <!-- https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/#audit-log-format [timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host], [connectionid],[queryid],[operation],[database],[object],[retcode] May 24 11:51:30 mysql09a mysql-server_auditing: mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0 --> <decoder name="mariadb-syslog"> <program_name>mysql</program_name> </decoder> <decoder name="mariadb-syslog-fields"> <parent>mariadb-syslog</parent> <regex> (\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*),(\.*)</regex> <order> mariadb.info,mariadb.username,mariadb.host,mariadb.connectionid,mariadb.queryid,mariadb.operation,mariadb.database,mariadb.object,mariadb.retcode </order> </decoder> *rules* <group name="mariadb,"> <rule id="200000" level="0"> <decoded_as>mariadb-syslog</decoded_as> <description>MariaDB group messages.</description> </rule> </group> *ossec-logtest* May 24 11:51:30 mysql09a mysql-server_auditing: mysql09a.local,ahc_shwb01_t ,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0 **Phase 1: Completed pre-decoding. full event: 'May 24 11:51:30 mysql09a mysql-server_auditing: mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0' hostname: 'mysql09a' program_name: 'mysql-server_auditing' log: ' mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0' **Phase 2: Completed decoding. decoder: 'mariadb-syslog' mariadb.info: 'mysql09a.local' mariadb.username: 'ahc_shwb01_t' mariadb.host: 'ahc-web29d.local' mariadb.connectionid: '849705' mariadb.queryid: '0' mariadb.operation: 'DISCONNECT' mariadb.database: 'ahc_shwb01_t' mariadb.object: '' mariadb.retcode: '0' **Phase 3: Completed filtering (rules). Rule id: '200000' Level: '0' Description: 'MariaDB group messages.' It would be nice if you send us a pull request to wazuh-ruleset <https://github.com/wazuh/wazuh-ruleset> when you finish the rules. Regards. On Wednesday, May 24, 2017 at 6:06:13 PM UTC+2, John Gelnaw wrote: > > > Link to the MariaDB audit plugin format: > https://mariadb.com/kb/en/mariadb/about-the-mariadb-audit-plugin/#audit-log-format > > > syslog format: > > [timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host], > [connectionid],[queryid],[operation],[database],[object],[retcode] > > We're using syslog, since it allows us to easily forward the logs to our > central logging server for archiving. > > And here's a small sample of log files: > > May 23 14:40:00 mysql09a mysql-server_auditing: > mysql09a.local,root,MYSQLADM.local,725989,179577437,QUERY,,'DROP DATABASE > `ese_adherence_s`',0 > May 24 10:22:21 mysql09a mysql-server_auditing: > > mysql09a.local,ahc_shwb01_t,10.15.190.182,840046,210662172,QUERY,`ahc_shwb01_t`,'CREATE > > TABLE `zipcodes` ( `zip` varchar(16) NOT NULL DEFAULT \'0\' COMMENT > \'Postal / ZIP code.\', `city` varchar(30) NOT NULL DEFAULT \'\' COMMENT > \'City.\', `state` varchar(30) NOT NULL DEFAULT \'\' COMMENT \'Province / > State.\', `latitude`',0 > May 24 10:22:21 mysql09a mysql-server_auditing: > > mysql09a.local,ahc_shwb01_t,10.15.190.182,840046,210662174,QUERY,`ahc_shwb01_t`,'/*!40000 > > ALTER TABLE `zipcodes` DISABLE KEYS */',0 > May 24 11:51:30 mysql09a mysql-server_auditing: > > mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,CONNECT,ahc_shwb01_t,,0 > > May 24 11:51:30 mysql09a mysql-server_auditing: > > mysql09a.local,ahc_shwb01_t,ahc-web29d.local,849705,0,DISCONNECT,ahc_shwb01_t,,0 > > > May 24 12:01:12 mysql09a mysql-server_auditing: > mysql09a.local,,AHC-GSMPX11.local,850526,0,FAILED_CONNECT,,,1158 > > The 'mysql-server_auditing' is a user-configurable option (I took the > default). > > I can provide a larger sample of logs if anyone wants. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.