-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathpostgresql.cfg
98 lines (84 loc) · 2.47 KB
/
postgresql.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Alienvault plugin
# Author: Alienvault Team at devel@alienvault.com
# Plugin postgresql id:1851 version: 0.0.1
# Last modification: 2017-03-08 14:00
#
# Plugin Selection Info:
# PostgreSQL GDG:postgresql:-
#
# END-HEADER
#
# Description:
#
#
#
[DEFAULT]
plugin_id=1851
[config]
type=detector
enable=yes
source=log
location=/var/log/postgresql.log
create_file=true
process=
start=no
stop=no
startup=
shutdown=
[translation]
# Rule 9998
duration = 20000000
parameters = 20000000
checkpoint starting = 20000000
checkpoint complete = 20000000
execute = 3
# Default
_DEFAULT_=20000000
#########################
# RULES #
#########################
[0001 - Postgresql - MultiLine:Connection]
event_type=event
precheck="connection received"
regexp="(?P<date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+[^:]+:(?P<src_ip>[^(]+)\((?P<src_port>\d+)\):\[unknown\]@\[unknown\]:\[(?P<pid>\d+)\]:LOG:\s+connection received.*\n\d+-\d+-\d+\s+\d+:\d+:\d+(?:[^:]+:){5}\s+connection authorized:\s+user=(?P<username>\S+)\s+database=(?P<database>\S+)\s+(?P<ssl>[^(]+)\(protocol=(?P<protocol>[^,]+), cipher=(?P<cipher>[^,]+),\s+compression=(?P<compression>on|off)\)"
date={normalize_date($date)}
plugin_sid=1
src_ip={$src_ip}
src_port={$src_port}
username={$username}
protocol={$protocol}
userdata1={$database}
userdata2={$pid}
userdata3={$ssl}
userdata4={$cipher}
userdata5={$compression}
[0002 - Postgresql - SingleLine:Disconnection]
event_type=event
precheck="disconnection"
regexp="(?P<date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+[^:]+:(?P<src_ip>[^(]+)\((?P<src_port>\d+)\):[^@]+@[^:]+:\[(?P<pid>\d+)\]:LOG:\s+disconnection:\s+session time:\s+(?P<session_time>\S+)\s+user=(?P<username>\S+)\s+database=(?P<database>\S+)"
date={normalize_date($date)}
plugin_sid=2
src_ip={$src_ip}
src_port={$src_port}
username={$username}
userdata1={$database}
userdata2={$pid}
userdata3={$session_time}
# Generic:
[9998 - Postgresql - Generic event]
event_type=event
#precheck=
regexp="(?P<date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+[^:]+:(?:(?P<src_ip>[^(]+)\((?P<src_port>\d+)\))?:(?P<username>[^@]*?)@(?P<database>[^:]*?):\[(?P<pid>\d+)\]:(?:LOG|DETAIL):\s+(?P<sid>duration|execute|parameters|checkpoint (?:complete|starting)|statement)(?:\s+(?P<statement_name>\S+):)?"
date={normalize_date($date)}
plugin_sid={translate($sid)}
src_ip={$src_ip}
src_port={$src_port}
username={$username}
userdata1={$database}
userdata2={$pid}
userdata3={$statement_name}
[9999 - Postgresql - Query Catcher]
event_type=event
#precheck=
regexp="^\s+.*$"
plugin_sid=20000000