Hi, Just setup the ossec2mysql perl daemon that ships in the contrib directory and seems to work correctly. I don't use Snort or BASE. I'd like to try using it to generate SQL-based reports, easy querying, and long-term archiving. It looks like it puts the entire alert content into a single column "data_payload" in the "data" table however, rather than breaking out the various decoded fields into their own columns (i.e. time/date, hostname, program_name, user, srcip, dstip, url, action, status, log, etc etc as well) although rule_id can be derived by joining with the "event" and "signature" tables. It seems to me the big win of using a RDBMS to store the information is so that one can model the attributes in separate columns for advanced querying. Is there a reason it doesn't do this, or is this just a feature not yet implemented waiting for some good soul to do it :) ?
Thanks, ~Josh
