This blog post should help everybody who wants to integrate the free (community) version of the MySQL database with NetWitness for Logs. This blog does NOT describe the MySQL database auditing. Instead the procedure can be used for applications that store their events in the MySQL database.
As we do not provide the drivers for that version, it has to be downloaded from http://dev.mysql.com/downloads/connector/odbc/
Make sure to get the tar.gz version for EL6. The version downloaded at that the time of writing was mysql-connector-odbc-5.3.4-linux-el6-x86-64bit.tar.gz:
Enabling MySQL collection
To enable MySQL collection perform the following steps:
- Untar the file obtained from the MySQL website and copy the ODBC driver to the SA ODBC drivers folder:
- This is the structure of my example database on 192.168.2.200 Port 3306:
- Create the database DSN in Administration > Services > LogCollector > View > Config > Event Sources.
- The names for the parameters are different from the names of our default drivers. The following values have to be set:
|SERVER||Database server IP|
|PORT||Database server listening port|
In my example:
- Now create the type specification (mine is named mysql_audit.xml) for your database in /etc/netwitness/ng/logcollection/content/collection/odbc/. My example would require the following specification:
- Next create a parser to match this specification in /etc/netwitness/ng/envision/etc/devices/yourDeviceName. My simple example looks as follows:
- Finally add the category (name as chosen in your typespec file) and database to the Event Sources and start the ODBC collection:
Testing MySQL collection
To test MySQL collection:
- Wait for new events to arrive in the database. In my test database I created two events manually:
- Wait for the ODBC collection to get those events. You can verify collection in /var/log/messages:
Aug 7 15:30:22 ld nw: [OdbcCollection] [info] [mysql_audit.SQL_Audit] [processing] [SQL_Audit] [processing] Published 2 ODBC events: last tracking id: 8
- The events can now be found in the Investigator with the defined meta generated:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.