The localfile option should be added to the systems with mysql or in the agent.conf. Do you have it setup as <log_format>mysql_log</log_format>? The INFO line you pasted means that ossec is reading the log file, so you may just have to write a rule for the log events you want alerts for.
I'd leave the localfile entries in the ossec.conf files. It doesn't really hurt to have them, and could help if your syslog server happens to miss some alerts. On Thu, Apr 29, 2010 at 5:47 PM, Barnaby Cockcroft <[email protected]> wrote: > > I thought it might have worked the way you suggest, so I added a <localfile> > section to the central server's ossec.conf, even though then > ossec-logcollector complained of a missing file when starting up. It didn't > seem to work with or without it! And of course, I have the <localfile> > section on the agent (mysql) machines too, and get this message on startup: > ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mysqld.log' > I'm thinking of getting tcpdump out and seeing if any contents of the mysqld > log file actually are getting sent back to the central server - I tried > running the agent and log collector with the -fd flags to see if I could get > any more interesting logging, but that didn't seem to work out too well > either. > > Can you tell me if just adding the log to the <localfile> section of the > ossec.conf is enough to cause the logs to be streamed back to the central > server? If that's the case, presumably I should remove the <localfile> > sections pertaining to daemon, messages, etc, as syslog itself streams those > back to the central log server? > > Anyhow, I apologize for my confusion here. I just can't find any > documentation anywhere that explains how this part of ossec's functionality > is supposed to work to validate against what I'm seeing (or not seeing..). > > Thanks for the reply, > > Barnaby > > > On 4/29/10 6:25 , "dan (ddp)" <[email protected]> wrote: > >> If you add the mysql logs to the ossec agent, it will pass the logs >> back to the ossec server for evaluation there. >> I haven't looked at mysql logs in a while, but I'm guessing it >> shouldn't be too tough to get it all working. >> You'd just add your rules to the ossec server and get alerts from it. >> >> If I'm misunderstanding something, let me know. I'll finish my coffee >> before replying again. >> >> On Wed, Apr 28, 2010 at 10:29 PM, Barnaby Cockcroft >> <[email protected]> wrote: >>> I¹m trying to figure out whether I can monitor my non-centralized mysqld.log >>> files using ossec agents? I¹m just looking for some simple alerts for >>> instance when replication fails on a slave. But as far as I can see it¹s not >>> possible to have rules on agents so I can¹t see how I can match log lines or >>> use regular expressions like I can on the centralized syslog/ossec server. >>> Am I missing something really simple here? It seems as if I should be able >>> to do this without having to fall back to running sec on the db boxes. >>> Thanks in advance if anyone can set me straight, >>> Barnaby > > > >
