ArcSight FlexConnector for parsing the OSSEC Database

1. #SDK DB Properties for OSSEC v2.4
2. #ID Based DB
3. #Change to TB based DB for OSSEC v2.5
4. #Author: Chris Botelho - chris@erroredsecurity.com
5. #Version 1.2 - 7/7/2011
6. #Released under GPL v3.0 - http://www.gnu.org/licenses/gpl-3.0.txt
7.  
8. version.order=1
9. version.id=2.4.1
10. version.query=select version from server
11.  
12. query=select alert.id as alert_id, (CASE SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,' ',-1),'->',1) REGEXP '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' WHEN 1 \
13. THEN SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,' ',-1),'->',1) WHEN 0 THEN '' END) AS address, TRIM(LEADING'(' FROM \
14. SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,')',1),'->',1)) AS host, SUBSTRING_INDEX(SUBSTRING_INDEX(location.name,'->',-1),'->',1) AS logtype, \
15. (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',2),'`',-1) WHEN 0 THEN '' END) AS file_changed, \
16. (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',4),'`',-1) WHEN 0 THEN '' END) AS old_size, \
17. (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',6),'`',-1) WHEN 0 THEN '' END) AS new_size, \
18. (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',12),'`',-1) WHEN 0 THEN '' END) AS oldsha1, \
19. (CASE data.full_log REGEXP '^Integrity.*' WHEN 1 THEN SUBSTRING_INDEX(SUBSTRING_INDEX(full_log,'`',14),'`',-1) WHEN 0 THEN '' END) AS newsha1, \
20. alert.rule_id as rule_id, from_unixtime(alert.timestamp) AS timestamp, alert.src_ip as src_ip, alert.dst_ip as dst_ip, \
21. alert.src_port as src_port, alert.dst_port as dst_port, server.hostname as hostname, from_unixtime(server.last_contact) as last_contact, \
22. server.version as version, data.user as user, signature.description as description, signature.level as level, data.full_log as full_log \
23. FROM alert JOIN location ON alert.location_id=location.id JOIN server ON alert.server_id = server.id JOIN data ON alert.id = data.id JOIN signature \
24. ON alert.rule_id = signature.rule_id \
25. WHERE alert.id > ? \
26. ORDER BY alert.id
27.  
28. #required fields
29. timestamp.field=timestamp
30. id.field=alert_id
31. #uniqueid.fields=alert_id
32. maxid.query=select max(alert.id) from alert
33.  
34. #event mappings
35. event.name=description
36. event.deviceAddress=address
37. event.deviceHostName=host
38. event.deviceFacility=logtype
39. event.externalId=alert_id
40. event.deviceEventClassId=rule_id
41. event.sourceAddress=src_ip
42. event.destinationAddress=dst_ip
43. event.sourcePort=src_port
44. event.destinationPort=dst_port
45. event.deviceCustomString1=user
46. event.deviceCustomString1Label=__stringConstant("Device Username")
47. event.deviceSeverity=level
48. event.deviceCustomDate1=last_contact
49. event.deviceCustomDate1Label=__stringConstant("Last Time Device Connected")
50. event.deviceVersion=version
51. event.deviceVendor=__stringConstant("OSSEC")
52. event.deviceProduct=__stringConstant("OSSEC HIDS")
53. event.rawEvent=full_log
54. event.deviceCustomString2=hostname
55. event.deviceCustomString2Label=__stringConstant("OSSEC Server Hostname")
56.