Skip to content
This repository has been archived by the owner on Apr 19, 2021. It is now read-only.

Commit

Permalink
Issue 972: securityonion-sguil-db-purge: update mysql call
Browse files Browse the repository at this point in the history
  • Loading branch information
dougburks committed Jul 31, 2016
1 parent 2c7290c commit 085ab50
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 12 deletions.
25 changes: 13 additions & 12 deletions bin/sguil-db-purge
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@
DATABASE=securityonion_db

# Connect to the database using a MySQL username of root
DB_USER=root
#DB_USER=root

# If you have NOT changed the MySQL root password, use the following line:
PASSWORD_OPTION=
#PASSWORD_OPTION=

# If you HAVE changed the MySQL root password, uncomment the next two lines and set your DB_PASSWORD
#DB_PASSWORD=Insert_Your_Password_Here
Expand Down Expand Up @@ -108,8 +108,9 @@ if [ ! -d /var/lib/mysql/$DATABASE/ ]; then exit; fi
date

# Check policies
KEEPDAY=`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY), '%Y%m%d');" -D $DATABASE`
REPAIRDAY=`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOREPAIR DAY), '%Y%m%d');" -D $DATABASE`
MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf -D $DATABASE"
KEEPDAY=`$MYSQL -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY), '%Y%m%d');"`
REPAIRDAY=`$MYSQL -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOREPAIR DAY), '%Y%m%d');"`

echo "Retention policy set to $DAYSTOKEEP days (deleting data prior to $KEEPDAY)."
echo "Repair policy set to $DAYSTOREPAIR days (repairing tables back to $REPAIRDAY)."
Expand All @@ -119,35 +120,35 @@ echo "Uncat policy set to $UNCAT_MAX uncategorized events (categorizing events u
cleanup() {

# Check to see if there are too many uncategorized events
UNCAT=`/usr/bin/mysql -s -u$DB_USER -D $DATABASE -e 'select count(*) from event where status=0;'`
UNCAT=`$MYSQL -s -e 'select count(*) from event where status=0;'`
if [ "$UNCAT" -le $UNCAT_MAX ]; then
echo "There are $UNCAT uncategorized events, which does not exceed the max of $UNCAT_MAX."
else
echo "There are $UNCAT uncategorized events, which exceeds the max of $UNCAT_MAX."
let UNCAT_DELTA=UNCAT-UNCAT_MAX
echo "Categorizing the oldest $UNCAT_DELTA events."
MYSQL_STRING="update event set status=1 where status=0 order by timestamp limit $UNCAT_DELTA;"
/usr/bin/mysql -u$DB_USER -D $DATABASE -e "$MYSQL_STRING"
$MYSQL -e "$MYSQL_STRING"
fi

# Purge the history table
/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DELETE FROM history WHERE timestamp < DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY);" -D $DATABASE
$MYSQL -BN -e "DELETE FROM history WHERE timestamp < DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY);"

# Purge the remaining tables
for TABLEPREFIX in "data" "event" "icmphdr" "sancp" "tcphdr" "udphdr"
do
# Check to see if the table exists
/usr/bin/mysql -u$DB_USER -D $DATABASE -e "SHOW TABLES LIKE '$TABLEPREFIX%';" | if grep $TABLEPREFIX >/dev/null 2>&1; then
$MYSQL -e "SHOW TABLES LIKE '$TABLEPREFIX%';" | if grep $TABLEPREFIX >/dev/null 2>&1; then
# If the table exists, drop the merge table, delete the old tables, and repair the recent tables
echo "$TABLEPREFIX table exists, dropping old tables and repairing recent tables."
/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DROP TABLE $TABLEPREFIX;" -D $DATABASE
TABLES=(`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SHOW TABLES LIKE '$TABLEPREFIX%';" -D $DATABASE`)
$MYSQL -BN -e "DROP TABLE $TABLEPREFIX;"
TABLES=(`$MYSQL -BN -e "SHOW TABLES LIKE '$TABLEPREFIX%';"`)
for TABLE in "${TABLES[@]}"; do
TABLEDAY=`echo "$TABLE" | awk -F_ '{print($3)}'`
if [ "$TABLEDAY" -lt "$KEEPDAY" ]; then
/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DROP TABLE \`$TABLE\`;" -D $DATABASE
$MYSQL -BN -e "DROP TABLE \`$TABLE\`;"
else
[ "$TABLEDAY" -gt "$REPAIRDAY" ] && /usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "REPAIR TABLE \`$TABLE\`;" -D $DATABASE
[ "$TABLEDAY" -gt "$REPAIRDAY" ] && $MYSQL -BN -e "REPAIR TABLE \`$TABLE\`;"
fi
done
fi
Expand Down
6 changes: 6 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
securityonion-sguil-db-purge (20120722-0ubuntu0securityonion15) trusty; urgency=medium

* Issue 972: securityonion-sguil-db-purge: update mysql call

-- Doug Burks <[email protected]> Sun, 31 Jul 2016 13:09:51 -0400

securityonion-sguil-db-purge (20120722-0ubuntu0securityonion14) trusty; urgency=medium

* Issue 971: securityonion-sguil-db-purge: add command line options
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
securityonion-sguil-db-purge (20120722-0ubuntu0securityonion15) trusty; urgency=medium
.
* Issue 972: securityonion-sguil-db-purge: update mysql call
Author: Doug Burks <[email protected]>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- securityonion-sguil-db-purge-20120722.orig/bin/sguil-db-purge
+++ securityonion-sguil-db-purge-20120722/bin/sguil-db-purge
@@ -19,10 +19,10 @@
DATABASE=securityonion_db

# Connect to the database using a MySQL username of root
-DB_USER=root
+#DB_USER=root

# If you have NOT changed the MySQL root password, use the following line:
-PASSWORD_OPTION=
+#PASSWORD_OPTION=

# If you HAVE changed the MySQL root password, uncomment the next two lines and set your DB_PASSWORD
#DB_PASSWORD=Insert_Your_Password_Here
@@ -108,8 +108,9 @@ if [ ! -d /var/lib/mysql/$DATABASE/ ]; t
date

# Check policies
-KEEPDAY=`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY), '%Y%m%d');" -D $DATABASE`
-REPAIRDAY=`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOREPAIR DAY), '%Y%m%d');" -D $DATABASE`
+MYSQL="/usr/bin/mysql --defaults-file=/etc/mysql/debian.cnf -D $DATABASE"
+KEEPDAY=`$MYSQL -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY), '%Y%m%d');"`
+REPAIRDAY=`$MYSQL -BN -e "SELECT DATE_FORMAT(DATE_SUB(NOW(), INTERVAL $DAYSTOREPAIR DAY), '%Y%m%d');"`

echo "Retention policy set to $DAYSTOKEEP days (deleting data prior to $KEEPDAY)."
echo "Repair policy set to $DAYSTOREPAIR days (repairing tables back to $REPAIRDAY)."
@@ -119,7 +120,7 @@ echo "Uncat policy set to $UNCAT_MAX unc
cleanup() {

# Check to see if there are too many uncategorized events
- UNCAT=`/usr/bin/mysql -s -u$DB_USER -D $DATABASE -e 'select count(*) from event where status=0;'`
+ UNCAT=`$MYSQL -s -e 'select count(*) from event where status=0;'`
if [ "$UNCAT" -le $UNCAT_MAX ]; then
echo "There are $UNCAT uncategorized events, which does not exceed the max of $UNCAT_MAX."
else
@@ -127,27 +128,27 @@ cleanup() {
let UNCAT_DELTA=UNCAT-UNCAT_MAX
echo "Categorizing the oldest $UNCAT_DELTA events."
MYSQL_STRING="update event set status=1 where status=0 order by timestamp limit $UNCAT_DELTA;"
- /usr/bin/mysql -u$DB_USER -D $DATABASE -e "$MYSQL_STRING"
+ $MYSQL -e "$MYSQL_STRING"
fi

# Purge the history table
- /usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DELETE FROM history WHERE timestamp < DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY);" -D $DATABASE
+ $MYSQL -BN -e "DELETE FROM history WHERE timestamp < DATE_SUB(NOW(), INTERVAL $DAYSTOKEEP DAY);"

# Purge the remaining tables
for TABLEPREFIX in "data" "event" "icmphdr" "sancp" "tcphdr" "udphdr"
do
# Check to see if the table exists
- /usr/bin/mysql -u$DB_USER -D $DATABASE -e "SHOW TABLES LIKE '$TABLEPREFIX%';" | if grep $TABLEPREFIX >/dev/null 2>&1; then
+ $MYSQL -e "SHOW TABLES LIKE '$TABLEPREFIX%';" | if grep $TABLEPREFIX >/dev/null 2>&1; then
# If the table exists, drop the merge table, delete the old tables, and repair the recent tables
echo "$TABLEPREFIX table exists, dropping old tables and repairing recent tables."
- /usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DROP TABLE $TABLEPREFIX;" -D $DATABASE
- TABLES=(`/usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "SHOW TABLES LIKE '$TABLEPREFIX%';" -D $DATABASE`)
+ $MYSQL -BN -e "DROP TABLE $TABLEPREFIX;"
+ TABLES=(`$MYSQL -BN -e "SHOW TABLES LIKE '$TABLEPREFIX%';"`)
for TABLE in "${TABLES[@]}"; do
TABLEDAY=`echo "$TABLE" | awk -F_ '{print($3)}'`
if [ "$TABLEDAY" -lt "$KEEPDAY" ]; then
- /usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "DROP TABLE \`$TABLE\`;" -D $DATABASE
+ $MYSQL -BN -e "DROP TABLE \`$TABLE\`;"
else
- [ "$TABLEDAY" -gt "$REPAIRDAY" ] && /usr/bin/mysql -u$DB_USER $PASSWORD_OPTION -BN -e "REPAIR TABLE \`$TABLE\`;" -D $DATABASE
+ [ "$TABLEDAY" -gt "$REPAIRDAY" ] && $MYSQL -BN -e "REPAIR TABLE \`$TABLE\`;"
fi
done
fi
1 change: 1 addition & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ Issue-672:-sguil-db-purge:-check-for-UNCAT_MAX
Issue-711:-Add-"date"-command-to-usrbinsguil-db-purge
add-an-empty-line-to-log
Issue-971:-securityonion-sguil-db-purge:-add-command-line-options
Issue-972:-securityonion-sguil-db-purge:-update-mysql-call

0 comments on commit 085ab50

Please sign in to comment.