Everything seems to be working well, and I have followed all of the
instructions in the following link for ossec to decode mysql logs and alert
on rules. https://groups.google.com/forum/#!topic/ossec-list/u4uXvPnGhQ4
I am a little perplexed because everything else seems to be working.
Troubleshooting: I am trying to login to the mysql-server with an invalid
username or password. The error message should read "Access denied for
user".
1. I see these lines in /var/log/mysql/error.log
2. I have enabled debugging level 2 and see that the agent is collecting
logs for /var/logs/mysql/error.log
3. On the server, I have included the rules file mysql_rules
4. On the agent in agent.conf, I have included the lines:
<localfile>
<log_format>mysql_log</log_format>
<location>/var/log/mysql/error.log</location>
</localfile>
5. I have restarted both server and agent multiple times
6. I receive real time monitoring alerts on file changes and sudo
open/closed sessions
7. I receive alerts from the default setup about failed ssh access attempts
but not mysql
8. It's strange I get some alerts about sudo access (level 3) and ssh
access attempts (level 5) but not file changes (I guess this is separate
unless there is a delay for mysql rules I'm not aware of).
Did I miss something to enable mysql alerts?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
