Have you tried comparing the timestamp in the mysql database to the timestamp in the alert log?
On Tue, Nov 17, 2009 at 8:02 PM, Alisha Kloc <[email protected]> wrote: > Hello, > > I wanted to ask my question again after seeing a reply to my > suggestion in the feedback forum. Daniel Cid posted there that the > manager does in fact timestamp the events, but I still can't figure > out where this happens or how. Is what shows up in the database the > timestamp generated by the manager? Is the timestamp in the database > generated by MySQL, and the manager timestamp used for a different > form of reporting? We need to know in order to correctly report on our > timestamping capabilities, but I can't find this information > anywhere... > > Thanks! > -Alisha > > > > > On Nov 3, 10:30 am, Alisha Kloc <[email protected]> wrote: >> Hello, >> >> We recently noticed that OSSEC doesn't appear to have the ability to >> timestamp events in milliseconds. This led to an examination of how >> OSSEC timestamps its events, but we couldn't figure that out either. >> I've done some searching on this, but haven't had any luck. >> >> Does anyone know where the timestamps in an OSSEC MySQL database come >> from? Are they inserted by MySQL's automatic now() function? Does >> OSSEC have any control over the timestamps? Are the timestamps in any >> way related to the time logged in the syslog from which OSSEC is >> pulling the event, or are they assigned after the event is passed to >> the manager? Is there a way to get OSSEC events stamped with a time >> down to the millisecond, for detailed forensic reporting? >> >> Thanks in advance! >> -Alisha >
