Everything seems to be working well, and I have followed all of the instructions in the following link for ossec to decode mysql logs and alert on rules. https://groups.google.com/forum/#!topic/ossec-list/u4uXvPnGhQ4
I am a little perplexed because everything else seems to be working. Troubleshooting: I am trying to login to the mysql-server with an invalid username or password. The error message should read "Access denied for user". 1. I see these lines in /var/log/mysql/error.log 2. I have enabled debugging level 2 and see that the agent is collecting logs for /var/logs/mysql/error.log 3. On the server, I have included the rules file mysql_rules 4. On the agent in agent.conf, I have included the lines: <localfile> <log_format>mysql_log</log_format> <location>/var/log/mysql/error.log</location> </localfile> 5. I have restarted both server and agent multiple times 6. I receive real time monitoring alerts on file changes and sudo open/closed sessions 7. I receive alerts from the default setup about failed ssh access attempts but not mysql 8. It's strange I get some alerts about sudo access (level 3) and ssh access attempts (level 5) but not file changes (I guess this is separate unless there is a delay for mysql rules I'm not aware of). Did I miss something to enable mysql alerts? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.