Alarm and event table structure of the alienvault Library

Alarm and event table structure of the alienvault Library

As an OSSIM database developer, you need to understand the alarm and event table structure of the alienvault library.
 

1. alarm
Field
Type
Allow Null
Default Value
Backlog_id
Binary (16)
No
Event_id
Binary (16)
No
Pai_engine_ctx
Binary (16)
No
Timestamp
Timestamp
Yes
Status
Enum ('open', 'closed ')
Yes
'Open'
Plugin_id
Int (11)
No
Plugin_sid
Int (11)
No
Protocol
Int (11)
Yes
Src_ip
Varbinary (16)
Yes
Dst_ip
Varbinary (16)
Yes
Src_port
Int (11)
Yes
Dst_port
Int (11)
Yes
Risk
Int (11)
Yes
Efr
Int (11)
No
0
Similar
Varchar (40)
No
'123'
Stats
Mediumtext
No
Removable
Tinyint (1)
No
0
In_file
Tinyint (1)
No
0
 
2. alarm_groups
Field
Type
Allow Null
Default Value
Group_id
Varchar (255)
No
Description
Text
No
Status
Enum ('open', 'closed ')
No
Timestamp
Timestamp
No
CURRENT_TIMESTAMP
Owner
Varchar (64)
No
 
3. alarm_hosts
Field
Type
Allow Null
Default Value
Id_alarm
Binary (16)
No
Id_host
Binary (16)
No
 
4. alarm_kingdoms
Field
Type
Allow Null
Default Value
Id
Int (11)
No
Name
Varchar (128)
No
 
5. alarm_nets
Field
Type
Allow Null
Default Value
Id_alarm
Binary (16)
No
Id_net
Binary (16)
No
 
6. alarm_tags
Field
Type
Allow Null
Default Value
Id_alarm
Binary (16)
No
Id_tag
Int (11)
No
 
Alarm_taxonomy
Field
Type
Allow Null
Default Value
Sid
Int (11)
No
Engine_id
Binary (16)
No
'\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0'
Kingdom
Int (11)
No
Category
Int (11)
No
Subcategory
Text
No
7. databases
Field
Type
Allow Null
Default Value
Id
Int (10) UNSIGNED
No
Ctx
Binary (16)
No
Name
Varchar (64)
No
Ip
Varbinary (16)
No
Port
Int (11)
No
3306
User
Varchar (64)
No
Pass
Varchar (64)
No
Icon
Mediumblob
No
 
8. device_types
Field
Type
Allow Null
Default Value
Id
Int (11)
No
Name
Varchar (64)
No
Class
Int (11)
No
 
9. event
Field
Type
Allow Null
Default Value
Id
Binary (16)
No
Agent_ctx
Binary (16)
No
Timestamp
Timestamp
No
CURRENT_TIMESTAMP
Tzone
Float
No
0
Sensor_id
Binary (16)
Yes
Interface
Varchar (32)
No
Type
Int (11)
No
Plugin_id
Int (11)
No
Plugin_sid
Int (11)
No
Protocol
Int (11)
Yes
Src_ip
Varbinary (16)
Yes
Dst_ip
Varbinary (16)
Yes
Src_port
Int (11)
Yes
Dst_port
Int (11)
Yes
Event_condition
Int (11)
Yes
Value
Text
Yes
Time_interval
Int (11)
Yes
Absolute
Tinyint (4)
Yes
Priority
Int (11)
Yes
1
Reliability
Int (11)
Yes
1
Asset_src
Int (11)
Yes
1
Asset_dst
Int (11)
Yes
1
Risk_a
Int (11)
Yes
0
Risk_c
Int (11)
Yes
0
Alarm
Tinyint (4)
Yes
0
Filename
Varchar (256)
Yes
Username
Varchar (64)
Yes
Password
Varchar (64)
Yes
Userdata1
Varchar (1024)
Yes
Userdata2
Varchar (1024)
Yes
Userdata3
Varchar (1024)
Yes
Userdata4
Varchar (1024)
Yes
Userdata5
Varchar (1024)
Yes
Userdata6
Varchar (1024)
Yes
Userdata7
Varchar (1024)
Yes
Userdata8
Varchar (1024)
Yes
Userdata9
Varchar (1024)
Yes
Rulename
Text
Yes
Rep_prio_src
Int (10) UNSIGNED
Yes
Rep_prio_dst
Int (10) UNSIGNED
Yes
Rep_rel_src
Int (10) UNSIGNED
Yes
Rep_rel_dst
Int (10) UNSIGNED
Yes
Rep_act_src
Varchar (64)
Yes
Rep_act_dst
Varchar (64)
Yes
Src_hostname
Varchar (64)
Yes
Dst_hostname
Varchar (64)
Yes
Src_mac
Binary (6)
Yes
Dst_mac
Binary (6)
Yes
Src_host
Binary (16)
Yes
Dst_host
Binary (16)
Yes
Src_net
Binary (16)
Yes
Dst_net
Binary (16)
Yes
Refs
Int (11)
Yes
 
10. extra_data
Field
Type
Allow Null
Default Value
Event_id
Binary (16)
No
Data_payload
Text
Yes
Binary_data
Blob
Yes
 
11. host
Field
Type
Allow Null
Default Value

Id
Binary (16)
No
Ctx
Binary (16)
No
Hostname
Varchar (128)
No
Fqdns
Varchar (255)
No
Asset
Smallint (6)
No
Threshold_c
Int (11)
No
Threshold_a
Int (11)
No
Alert
Int (11)
No
Persistence
Int (11)
No
Nat
Varchar (15)
Yes
Rrd_profile
Varchar (64)
Yes
Descr
Varchar (255)
Yes
Lat
Varchar (255)
Yes
'0'
Lon
Varchar (255)
Yes
'0'
Icon
Mediumblob
Yes
Country
Varchar (64)
Yes
External_host
Tinyint (1)
No
0
Permissions
Binary (8)
No
'\ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0'
Av_component
Tinyint (1)
No
0
Created
Datetime
Yes
Updated
Datetime
Yes
12. incident
Field
Type
Allow Null
Default Value
Id
Int (11)
No
Uuid
Binary (16)
No
Ctx
Binary (16)
No
Title
Varchar (512)
No
Date
Datetime
No
0000-00-00 00:00:00
Ref
Enum ('alarm ', 'alert', 'event', 'metric ', 'anomaly', 'Vulnerability', 'custom ')
No
'Arm'
Type_id
Varchar (64)
No
'0'
Priority
Int (11)
No
Status
Enum ('open', 'assigne', 'studying ', 'waiting', 'testing', 'closed ')
No
'Open'
Last_update
Datetime
No
0000-00-00 00:00:00
In_charge
Varchar (64)
No
Submitter
Varchar (64)
No
Event_start
Datetime
No
0000-00-00 00:00:00
Event_end
Datetime
No
0000-00-00 00:00:00
 
13. incident_alarm
Field
Type
Allow Null
Default Value
Id
Int (11)
No
Incident_id
Int (11)
No
Src_ips
Varchar (255)
No
Src_ports
Varchar (255)
No
Dst_ips
Varchar (255)
No
Dst_ports
Varchar (255)
No
Backlog_id
Binary (16)
No
Event_id
Binary (16)
No
Alarm_group_id
Binary (16)
Yes
 
14. incident_anomaly
Field
Type
Allow Null
Default Value
Id
Int (11)
No
Incident_id
Int (11)
No
Anom_type
Enum ('mac', 'service', 'OS ')
No
'Mac'
Ip
Varchar (255)
No
Data_orig
Varchar (255)
No
Data_new
Varchar (255)
No
 
15. plugin_sid
Field
Type
Allow Null
Default Value
Plugin_ctx
Binary (16)
No
Plugin_id
Int (11)
No
Sid
Int (11)
No
Class_id
Int (11)
Yes
Reliability
Int (11)
Yes
1
Priority
Int (11)
Yes
1
Name
Varchar (512)
No
Aro
Decimal (11,4)
No
0.0000
Subcategory_id
Int (11)
Yes
Category_id
Int (11)
Yes
We usually have an online OSSIM system and another development system. Now we need to update the development system online, but the database structure of the development system is slightly different from that of the online system, therefore, we need to identify the table structure difference between the two databases and the table structure difference between the databases. We can combine the mysqldump and diff commands.
 
Export the table structure mysqldump-uroot-p-d alienvault>/home/db1. SQL
Mysqldump-uroot-p-d alienvault>/home/db2. SQL
 
Compare diff db1. SQL db2. SQL> diff