search

wazuh / wazuh-agent

The Wazuh agent for endpoints.
https://wazuh.com
GNU Affero General Public License v3.0
32 stars 19 forks source link

Fix for mysql 8.x query logging #53

Open LinU777 opened 4 months ago

LinU777 commented 4 months ago

| 4.8.1 | Logcollector - mysql_log | Agent | --- | Linux |

Hello.

In mysql server version 8.4.1 (I suspect in all 8.x versions too) in query log there is a tab right after timestamp. (log in attachment)

query.log

But in mesage validation it checks only for space (line 122) https://github.com/wazuh/wazuh-agent/blob/2e26b62e463699c2b1dc6ed18e0a53778233f4c4/src/modules/logcollector/src/read_mysql_log.c#L113-L146

To check for tab also:

else if ((str_len > 35) &&
               (str[4] == '-') &&
               (str[7] == '-') &&
               (str[10] == 'T') &&
               (str[13] == ':') &&
               (str[16] == ':') &&
               (str[19] == '.') &&
               ((str[26] == '-') || (str[26] == '+')) &&
               (str[29] == ':') &&
               ((str[32] == ' ') || (str[32] == '\t')) &&
               isdigit((int)str[0]) &&
               isdigit((int)str[1]) &&
               isdigit((int)str[2]) &&
               isdigit((int)str[3]) &&
               isdigit((int)str[5]) &&
               isdigit((int)str[6]) &&
               isdigit((int)str[8]) &&
               isdigit((int)str[9]) &&
               isdigit((int)str[11]) &&
               isdigit((int)str[12]) &&
               isdigit((int)str[14]) &&
               isdigit((int)str[15]) &&
               isdigit((int)str[17]) &&
               isdigit((int)str[18]) &&
               isdigit((int)str[20]) &&
               isdigit((int)str[21]) &&
               isdigit((int)str[22]) &&
               isdigit((int)str[23]) &&
               isdigit((int)str[24]) &&
               isdigit((int)str[25]) &&
               isdigit((int)str[27]) &&
               isdigit((int)str[28]) &&
               isdigit((int)str[30]) &&
               isdigit((int)str[31])) {

Same for UTC format (line 174): https://github.com/wazuh/wazuh-agent/blob/2e26b62e463699c2b1dc6ed18e0a53778233f4c4/src/modules/logcollector/src/read_mysql_log.c#L166-L194

Fix:

else if ((str_len > 30) &&
              (str[4] == '-') &&
              (str[7] == '-') &&
              (str[10] == 'T') &&
              (str[13] == ':') &&
              (str[16] == ':') &&
              (str[19] == '.') &&
              (str[26] == 'Z') &&
              ((str[27] == ' ') || (str[27] == '\t')) &&
              isdigit((int)str[0]) &&
              isdigit((int)str[1]) &&
              isdigit((int)str[2]) &&
              isdigit((int)str[3]) &&
              isdigit((int)str[5]) &&
              isdigit((int)str[6]) &&
              isdigit((int)str[8]) &&
              isdigit((int)str[9]) &&
              isdigit((int)str[11]) &&
              isdigit((int)str[12]) &&
              isdigit((int)str[14]) &&
              isdigit((int)str[15]) &&
              isdigit((int)str[17]) &&
              isdigit((int)str[18]) &&
              isdigit((int)str[20]) &&
              isdigit((int)str[21]) &&
              isdigit((int)str[22]) &&
              isdigit((int)str[23]) &&
              isdigit((int)str[24]) &&
              isdigit((int)str[25])) {
dude75 commented 3 months ago

I have a similar problem in mysql versions 5.7 and 8x

I solved it in a similar way. is it possible to make changes to the wazuh-agent distribution?

TomasTurina commented 2 months ago

@LinU777 @dude75 Thank you for reporting this problem and a possible solution. We will investigate further and test your solutions or alternative solutions as soon as possible. We will keep you updated on this issue.