I just wanted to reply to this thread since it was related to the issues I ran into upgrading from OSSEC 2.4 to 3.2 (yep i know) - I did a search for all files in analogi with SELECT then filtered by "data." and replaced "data." with "alert." (including that period).
1. File ./php/index_graph.php:
if(mysql_query("SELECT 1 from agent", $db_ossec)
&& mysql_query("SELECT 1 from alert", $db_ossec)
&& mysql_query("SELECT 1 from category", $db_ossec)
--> /*&& mysql_query("SELECT 1 from data", $db_ossec) */
&& mysql_query("SELECT 1 from location", $db_ossec)
&& mysql_query("SELECT 1 from server", $db_ossec)
&& mysql_query("SELECT 1 from signature", $db_ossec)
&& mysql_query("SELECT 1 from signature_category_mapping", $db_ossec)){
$databaseschema="yes";
}else{
//$databaseschema="yes";
$problem=1;
$databaseschema="no!<br/>";
$databaseschema.=" Fix - Import the MySQL schema that comes with OSSEC";
}
//if(checktable('alert') && checktable('data') && checktable('location') && checktable('signature')){
--> if(checktable('alert') && checktable('location') && checktable('signature')){
$anydata="yes";
}else{
$problem=1;
$anydata="no!<br/>";
$anydata.=" Fix - Ensure agents are logging data.";
}
2. File ./detail.php in VI: (find and replace 'data.' with 'alert.')
:%s/data\./alert\./g.
I did however completely replace my DB since the schema wasn't updating properly from the installer of 3.2 (bug?)
3. From file: databasetest.php: (comment this all out)
/*$query="SELECT count(id) as res_count
/ FROM data";
if($result=mysql_query($query, $db_ossec)){
$row = @mysql_fetch_assoc($result);
if(!$row['res_count']>0){
echo "
alert(\"Connected to database ok, but no data found. Ensure OSSEC is logging to your database.\");";
}
}else{
echo "
alert(\"Problems checking database for information\");";
}*/
4. From file: management.php:
Comment out two times:
// $query="OPTIMIZE TABLE data;";
// mysql_query($query, $db_ossec);
// $query="OPTIMIZE TABLE data;";
// mysql_query($query, $db_ossec);
Update the delete SQL syntax in Two locations as well:
/*$querydelete="DELETE alert, data FROM alert
LEFT JOIN signature ON alert.rule_id=signature.rule_id
WHERE ".$where;*/
$querydelete="DELETE alert FROM alert
LEFT JOIN signature ON alert.rule_id=signature.rule_id
WHERE ".$where;