[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] ossec2mysql design question

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] ossec2mysql design question
From: Josh Drummond <jdrummon@xxxxxxx>
Date: Fri, 10 Aug 2007 17:10:55 -0700

Hi,

Just setup the ossec2mysql perl daemon that ships in the contrib 
directory and seems to work correctly.  I don't use Snort or 
BASE.  I'd like to try using it to generate SQL-based reports, easy 
querying, and long-term archiving.  It looks like it puts the entire 
alert content into a single column "data_payload" in the "data" table 
however, rather than breaking out the various decoded fields into 
their own columns (i.e. time/date, hostname, program_name, user, 
srcip, dstip, url, action, status, log, etc etc as well) although 
rule_id can be derived by joining with the "event" and "signature" 
tables.  It seems to me the big win of using a RDBMS to store the 
information is so that one can model the attributes in separate 
columns for advanced querying.  Is there a reason it doesn't do this, 
or is this just a feature not yet implemented waiting for some good 
soul to do it :) ?

Thanks,
~Josh

Follow-Ups:
- [ossec-list] Re: ossec2mysql design question
  - From: Jeff Schroeder
- [ossec-list] Re: ossec2mysql design question
  - From: Meir Michanie

Prev by Date: [ossec-list] Re: Proposal for the Web User Interface
Next by Date: [ossec-list] Re: Proposal for the Web User Interface
Previous by thread: [ossec-list] Re: Integrity checking database query...
Next by thread: [ossec-list] Re: ossec2mysql design question
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.