With Splunk app for Stream,when I login into mysql server from host1,the soft will capture the action and generate some message like this:
{"endtime":"2015-11-11T08:34:41.080784Z",
"timestamp":"2015-11-11T08:34:41.080784Z",
"count":1,
"src_ip":"192.168.18.132",
"src_port":46773,
"dest_ip":"192.168.18.131",
"dest_port":3306,
"login":"root",
"query":"",
"time_taken":26005,
"psrsvd_ss_time_taken":676260025}
And when i run a sql,it will capture the action and generate some message like this:
{"endtime":"2015-11-11T01:27:44.104973Z",
"timestamp":"2015-11-11T01:27:44.104973Z",
"count":1,
"src_ip":"192.168.18.132",
"src_port":37159,
"dest_ip":"192.168.18.131",
"dest_port":3306,
"login":"",
"query":"SELECT count(*) FROM `ecshop`.`ecs_category` WHERE is_show = 1 ",
"time_taken":629,
"psrsvd_ss_time_taken":395641}
And when I access Apache server,It can got the same thing like the source IP
and port
,the reply time
,the url I'm looking
,and so on.And it works for Oracle database,Email server,and so on.Here is the link with Supported procotol.
So,I'm searching plugins for logstash,or ELKstack,which can do things like that,or some software that can collect the information and input into logstash,or some workaround.