1 <!-- @(#) $Id: ./etc/rules/mysql_rules.xml, 2011/09/08 dcid Exp $
3 - Official MySQL rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <!-- MYSQL Log messages -->
18 <group name="mysql_log,">
19 <rule id="50100" level="0">
20 <decoded_as>mysql_log</decoded_as>
21 <description>MySQL messages grouped.</description>
24 <rule id="50105" level="3">
25 <if_sid>50100</if_sid>
26 <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
27 <description>Database authentication success.</description>
28 <group>authentication_success,</group>
31 <rule id="50106" level="9">
32 <if_sid>50105</if_sid>
33 <match>Access denied for user</match>
34 <description>Database authentication failure.</description>
35 <group>authentication_failed,</group>
38 <rule id="50107" level="0">
39 <if_sid>50100</if_sid>
40 <regex>^MySQL log: \d+ \S+ \d+ Query</regex>
41 <description>Database query.</description>
44 <rule id="50108" level="3">
45 <if_sid>50100</if_sid>
46 <regex>^MySQL log: \d+ \S+ \d+ Quit</regex>
47 <description>User disconnected from database.</description>
50 <rule id="50120" level="12">
51 <if_sid>50100</if_sid>
52 <match>mysqld ended|Shutdown complete</match>
53 <description>Database shutdown message.</description>
54 <group>service_availability,</group>
57 <rule id="50121" level="3">
58 <if_sid>50100</if_sid>
59 <match>mysqld started|mysqld restarted</match>
60 <description>Database startup message.</description>
61 <group>service_availability,</group>
64 <rule id="50125" level="5">
65 <if_sid>50100</if_sid>
66 <regex>^MySQL log: \d+ \S+ \d+ [ERROR]</regex>
67 <description>Database error.</description>
70 <rule id="50126" level="12">
71 <if_sid>50125</if_sid>
72 <match>Fatal error:</match>
73 <description>Database fatal error.</description>
74 <group>service_availability,</group>
77 <rule id="50180" level="10" frequency="6" timeframe="120" ignore="60">
78 <if_matched_sid>50125</if_matched_sid>
79 <description>Multiple database errors.</description>
80 <group>service_availability,</group>
83 </group> <!-- MYSQL -->