Odd... looks like my original reply never showed up. I did try comparing the timestamp in the database to the timestamp in the alert log, and saw a difference of up to four seconds sometimes. This still doesn't answer my question, though - I don't know if the reason for the difference is because OSSEC is stamping the alert and recording it in its log, then writing it to the database and stamping it there (which shouldn't take four seconds), or because OSSEC is stamping the log and passing the information to MySQL which then timestamps it (which also shouldn't take four seconds). The only answer this rules out is that OSSEC is writing to the alert log and MySQL at the same time.
I also can't come up with any good reason why there is a four-second difference, unless OSSEC is like Snort in that it keeps its own time and never checks the system clock, and therefore gets ahead while MySQL uses the system clock (or vice versa). So, unfortunately, I'm still quite baffled... On Nov 18, 9:09 am, "dan (ddp)" <[email protected]> wrote: > Have you tried comparing the timestamp in the mysql database to the timestamp > in the alert log? > > On Tue, Nov 17, 2009 at 8:02 PM, Alisha Kloc <[email protected]> wrote: > > Hello, > > > I wanted to ask my question again after seeing a reply to my > > suggestion in the feedback forum. Daniel Cid posted there that the > > manager does in fact timestamp the events, but I still can't figure > > out where this happens or how. Is what shows up in the database the > > timestamp generated by the manager? Is the timestamp in the database > > generated by MySQL, and the manager timestamp used for a different > > form of reporting? We need to know in order to correctly report on our > > timestamping capabilities, but I can't find this information > > anywhere... > > > Thanks! > > -Alisha > > > On Nov 3, 10:30 am, Alisha Kloc <[email protected]> wrote: > >> Hello, > > >> We recently noticed that OSSEC doesn't appear to have the ability to > >> timestamp events in milliseconds. This led to an examination of how > >> OSSEC timestamps its events, but we couldn't figure that out either. > >> I've done some searching on this, but haven't had any luck. > > >> Does anyone know where the timestamps in an OSSEC MySQL database come > >> from? Are they inserted by MySQL's automatic now() function? Does > >> OSSEC have any control over the timestamps? Are the timestamps in any > >> way related to the time logged in the syslog from which OSSEC is > >> pulling the event, or are they assigned after the event is passed to > >> the manager? Is there a way to get OSSEC events stamped with a time > >> down to themillisecond, for detailed forensic reporting? > > >> Thanks in advance! > >> -Alisha
