MySQL Logs
508 views
Skip to first unread message
Jesus Cazares
Oct 19, 2017, 3:30:14 PM10/19/17
to Wazuh mailing list
Hi.
I have kibana 5.6.3 running on a vmware on debian 9 OS and also I installed the wazuh agent and mysql on the local machine running windows 7 Enterprise, I know wazuh have default rules and decoders for mysql, but I cant see any mysql logs/activity on Kibana.
Could you please assist?
Regards.
Jesus Cazares
I have kibana 5.6.3 running on a vmware on debian 9 OS and also I installed the wazuh agent and mysql on the local machine running windows 7 Enterprise, I know wazuh have default rules and decoders for mysql, but I cant see any mysql logs/activity on Kibana.
Could you please assist?
Regards.
Jesus Cazares
Javier Castro
Oct 19, 2017, 6:26:47 PM10/19/17
to Jesus Cazares, Wazuh mailing list
Hi Jesús,
You don't see any activity in Kibana at all? or just specific to the mysql thing?
You can search in the discover tab in Kibana, and be sure to select a time range that actually has alerts in it.
Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c20b4dfb-6e7a-4af8-8da9-b34a874e227e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
alberto....@wazuh.com
Oct 19, 2017, 8:26:16 PM10/19/17
to Wazuh mailing list
Hello Jesús
Please verify that there are no errors in the log file. Also, it's necessary to verify that the agent is correctly connected to the manager. A line like the following one must appear in the log file:
- If the previous steps are correct, please verify the status of the Elastic Stack services:
(only if you are using it in a distributed configuration, check filebeat)
All of them have to return a green state as active.
Additionally, you can verify in the following link if the log that you're expecting to receive is included:
In order to delimitate your problem could be helpful to verify the following:
- In your Windows Agent, please verify the config file as follow: open Wazuh Agent Manager, click on View, View config and you have to see a configuration like this:
<localfile>
<location>C:\Users\MyUser\AppData\Roaming\MySQL\Folder_of_logs\log\name_of_log.log</location>
<log_format>syslog</log_format>
</localfile>- In your Windows Agent, please verify the log file as follow: open Wazuh Agent Manager, click on View, View Logs and on the last line of the file, you have to see a line like this:
2017/10/19 16:46:35 ossec-logcollector(1950): INFO: Analyzing file: 'C:\Users\MyUser\AppData\Roaming\MySQL\Folder_of_logs\log\name_of_log.log'.Please verify that there are no errors in the log file. Also, it's necessary to verify that the agent is correctly connected to the manager. A line like the following one must appear in the log file:
2017/10/19 16:46:35 ossec-agentd(4102): INFO: Connected to the server (192.168.1.50:1514).- If the previous steps are correct, please verify the status of the Elastic Stack services:
service filebeat statusservice logstash statusservice elasticsearch statusservice kibana statusAll of them have to return a green state as active.
Additionally, you can verify in the following link if the log that you're expecting to receive is included:
If you share the log we can help you in order to determinate what alerts must appear in your Kibana.
Hope it help.
Hope it help.
Bes regards,
Alberto R.
Jesus Cazares
Oct 31, 2017, 4:33:38 PM10/31/17
to Wazuh mailing list
Thank you All and sorry for the last response, I cant see any activity from MYSQL, I wil try and let you know the results
Jesus Cazares
Nov 14, 2017, 2:30:52 PM11/14/17
to Wazuh mailing list
Hi.
Im getting the following errors:
2017/11/14 13:27:03 ossec-agent: ERROR: (1115): Could not read from file 'C:\ProgramData\MySQL\MySQL Server 5.7\Data\LSTKAG47188.log' due to [(9)-(Bad file descriptor)].
2017/11/14 13:27:07 ossec-agent: ERROR: (1115): Could not read from file 'C:\ProgramData\MySQL\MySQL Server 5.7\Data\LSTKAG47188.log' due to [(9)-(Bad file descriptor)].
2017/11/14 13:27:11 ossec-agent: ERROR: (1115): Could not read from file 'C:\ProgramData\MySQL\MySQL Server 5.7\Data\LSTKAG47188.log' due to [(9)-(Bad file descriptor)].
2017/11/14 13:27:12 ossec-agent: WARNING: Agent buffer at 90 %.
2017/11/14 13:27:12 ossec-agent: WARNING: Agent buffer is full: Events may be lost.
alberto....@wazuh.com
Feb 23, 2018, 6:50:57 AM2/23/18
to Wazuh mailing list
Hello Jesus
Sorry for the late response. I'm trying to reproduce your error, but the files I have in my folder C:\ProgramData\MySQL\MySQL Server 5.7\Data\ it's being read normally (a log file called as my computer). Could you please tell me what type of log is LSTKAG47188.log? Following step by step the file creation could give us more clues. Normally the Bad file descriptor means that the file could not be opened for some reason. Please, send us your ossec.conf, only the location file part would be fine.
Best regards,
Alberto R.
Reply all
Reply to author
Forward
0 new messages