MySQL | MariaDB | Multi-Line Logs | Queries

[John Carry]

Dear Wazuh Team,

Hopefully you are doing great, we are currently integrating few of Database Servers to our Wazuh Solution, we are observing below log files under /var/log/mysql..

All other Log files are single line output and the Log-Test shows that they have supported out-of-the-box Decoders and Rules, but the problem lies with general.log that have multi-line output along with SQL queries (Mentioned Below).  I have checked the with Log-Test but unable to find any supported Decoder or Rule.

You are requested to help with below mentioned points:

1) Assist with Decoders or Rules or share if anyone from community had ever contributed.

2) What Log-format should be used while integrating general.log via <local_file> configuration?

[Federico Ramos]

Hi John

Thank you for reaching out to us. For the multi-line output in general.log, we recommend using the 'regex' decoder to extract the relevant information.

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

[John Carry]

Thanks Federico for your response and that means that the Wazuh doesn't have decoders and rules by default supported for Multi-Line Output ?

[John Carry]

Dear, waiting for your response.

[Federico Ramos]

Sorry for the delay in response. Here are some steps that helped other users to integrate MySQL, please let me know if it helps

First, we apply this configuration in the /var/ossec/etc/ossec.conf to monitor the MySQL log:

```

<localfile>

    <log_format>syslog</log_format>

    <location>/var/log/mysql/mysql_general.log</location>

</localfile>

```

Restart the wazuh-agent or wazuh-manager (depending on where you are configuring) to apply the configuration:

systemctl restart wazuh-agent

Note: Please note, that in this case we are, going to use syslog as log format.

Now, let’s add the following custom decoder that will allow us to decode the mysql log format you have shared. Add the following decoder in /var/ossec/etc/decoders/local_decoder.xml of wazuh-manager.

```

<decoder name="custom_mysql">

   <prematch>\d+\s\w+\s+</prematch>

   <regex>\s+(\d+)\s(\w+)\s+(\w\.*)</regex>

   <order>code, _action, command</order>

</decoder>

```

Note: The name action is reserved, therefore \_action has been used.

Next, we are going to create a rule that allows us to generate an alert for the cases in which the log corresponds to a query (when the field decoded as \_action corresponds to the Query value. For that, we add the following alert in the file /var/ossec/etc/rules/local_rules.xml.

```

<group name="mysql,">

    <rule id="100150" level="3">

        <decoded_as>custom_mysql</decoded_as>

        <field name="_action">Query</field>

        <description>The following query '$(command)' was run</description>

    </rule>

</group>

```

Now, we restart the wazuh-manager to apply the changes in the decoders and rules:

```

systemctl restart wazuh-manager

```

[John Carry]

I think there is some confusion in understanding the issue, I am talking about how to handle "Multi-line output" logged in general logs, screenshot is already shared,  I have opened another case and would request to go through it ...
You can find the case with subject " MSSQL | Multiline Output"