-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Cid wrote: > > If your mysql or postgresql logs are just normal syslog files (or > have 1 line > per event), you can just use the "syslog" log format. The "apache", > "iis", > "snort-fast" and "squid" formats are just aliases to this one. The only > ones that make a difference are the "snort-full" (4 lines per event) > and > the nmapg (which parses the nmap format). These names are not defined > in the xml, since they need to map to a specific "plugin" to read > the logs. > If you look at src/logcollector, you will see these three files: > > read_nmapg.c > read_snortfull.c > read_syslog.c
I saw those and feared that it wasn't as simple as adding an XML section somewhere. > > The read_syslog.c basically reads any syslog (or 1 line per event) > log. So if > you want to monitor a binary format or a file with multiple lines > per alert, > you would need to write a new plugin and map a specific log_format to > it... Hope I was able to explain it well.. You explained it quite well enough. :-) Unfortunately, mysql logs aren't just 1 line, nor are they a "standard" multi-line entry. Depending on the event, there is 1 line with a timestamp, which may be followed by as many as 5 more lines (maybe more - that's the most I've seen i my logs) regarding the event with the timestamp. So, I guess I'll have to wait for a plugin. If I were to write one in perl, is there someone on the "core team" that could translate it to a true plugin in C? Or, is there a way to call a plugin as a script instead of a binary? > > *log_formats are just related to how the logs are going to be > extracted. > The names in there have no relation to the ones in the decoders and/or > rules. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 8/21/06, gentuxx <[EMAIL PROTECTED]> wrote: >> > I only know a little about XML, so I'm kind of treading water with the > rules, and configs. But I do know that XML is hierarchical, and that > the different markup tags have to be defined /somewhere/. So, I'm > curious, where are the '<log_format>' tags defined? Or, rather, where > are the log formats defined? Is that in the decoders.xml? What if I > wanted to define my own log format to monitor, say MySQL, or > PostGRES? I've tried reading the source, but as much of a scripter as > I am, C is still beyond me as far as being able to really put it all > together. So, if I create a decoder in the decoders.xml file which > contains the regex(es) for MySQL, would I then be able to create a log > group, and thus rules, using the 'mysql' (or whatever I call it) > '<log_format>'? > > >> > >> > > -- > gentux > echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 > 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6gGDTPA54hjTSp4RApuoAJ9ayuM/61YOI8fARGga+yiwVvsl2QCdFCTG BBEbNvx/uPjxAeL4HSc9wxU= =0yJl -----END PGP SIGNATURE-----
