Agreed. Unsure why they don't break those up. On Wednesday, May 16, 2012, Zate wrote:
> Seems a little strange to combine the hostname and log source into a > single field. > > Zate > > > On Wed, May 16, 2012 at 8:09 AM, Darrell Hyde > <[email protected]<javascript:_e({}, 'cvml', '[email protected]');> > > wrote: > >> You can identify the agent - you just need to dig into the schema a >> bit. The schema is pretty simple. There are like 4 tables that we >> really care about: >> >> Everything starts with the location table. The location table >> identifies both the host that generated the alert, and the source of >> the alert on the host. Here's what the contents of the table look >> like: >> >> mysql> select * from location; >> +----+-----------+------------------------------------------+ >> | id | server_id | name | >> +----+-----------+------------------------------------------+ >> | 1 | 1 | linuxlab1->ossec-monitord | >> | 2 | 1 | (linuxlab2) 10.60.6.148->/var/log/secure | >> | 3 | 1 | (linuxlab2) 10.60.6.148->ossec | >> | 4 | 1 | (windowslab1) any->WinEvtLog | >> | 5 | 1 | linuxlab1->/var/log/secure | >> | 6 | 1 | (linuxlab2) any->ossec | >> | 7 | 1 | (linuxlab2) any->/var/log/secure | >> | 8 | 1 | (linuxlab2) any->syscheck | >> +----+-----------+------------------------------------------+ >> >> As you can see they combine the hostname (which in production will be >> the hosting account ID) and the alert source in the name field. So if >> you were going to output all of the file integrity alerts associated >> with a given host you'd start here like so: >> >> mysql> select * from location where name='(linuxlab2) any->syscheck'; >> +----+-----------+---------------------------+ >> | id | server_id | name | >> +----+-----------+---------------------------+ >> | 8 | 1 | (linuxlab2) any->syscheck | >> +----+-----------+---------------------------+ >> >> From there you can use the location.id field to get the list of alerts >> associated with that location like so: >> >> mysql> select * from alert where location_id=8; >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-------------------+ >> | id | server_id | rule_id | timestamp | location_id | src_ip | >> dst_ip | src_port | dst_port | alertid | >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-------------------+ >> | 32 | 1 | 550 | 1336413257 | 8 | 0 | >> 0 | 23744 | 54 | 1336413254.443098 | >> >> +----+-----------+---------+------------+-------------+--------+--------+----------+----------+-------------------+ >> >> Then from there you can use the alert.id field to get the extended >> text of the alert (formatted vertically for easier reading): >> >> mysql> select * from data where id=32 \G >> *************************** 1. row *************************** >> id: 32 >> server_id: 1 >> user: (null) >> full_log: Integrity checksum changed for: >> `/var/ossec/etc/ossec.conf`Size changed from `2061` to `2059`Old >> md5sum was: `f0c1c29412190c754982e838d9edab62`New md5sum is : >> `6bfb948ba8fb4d4e76e9d9c1bca5b496`Old sha1sum was: >> `052860041c47976cddca732eb63fbca306d2537c`New sha1sum is : >> `d24a4176708876b18e72639df767ff85fde7bd56` >> timestamp: 2012-05-07 13:54:17 >> >> ...and that's really all there is to it. >> >> On Wed, May 16, 2012 at 6:36 AM, dan (ddp) >> <[email protected]<javascript:_e({}, 'cvml', '[email protected]');>> >> wrote: >> > That table isn't populated yet. There's been some interest in >> > finishing that part of the code, but as far as I know no work has been >> > done. >> > >> > On Wed, May 16, 2012 at 3:28 AM, mikes >> > <[email protected]<javascript:_e({}, 'cvml', '[email protected]');>> >> wrote: >> >> Hi. >> >> >> >> Hmmm, why table 'agent' is empty in MySQL? >> >> >> >> I've got 150+ hosts and i can't search events by host :/ >> >> >> >> best regards >> > >
