Skip to content

Commit

Permalink
postgresql: Some notes about the PostgreSQL analyzer
Browse files Browse the repository at this point in the history
  • Loading branch information
awelzel committed Nov 18, 2024
1 parent 148dfe9 commit 7d52328
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 1 deletion.
3 changes: 2 additions & 1 deletion logs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@ Zeek Logs
ntp
smb
irc
rdp
ldap
postgresql
quic
rdp
traceroute
tunnel
dpd
Expand Down
97 changes: 97 additions & 0 deletions logs/postgresql.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
.. _PostgreSQL protocol: https://www.postgresql.org/docs/current/protocol.html

==============
postgresql.log
==============

.. versionadded:: 7.1

Overview
========

Zeek contains a basic spicy-based `PostgreSQL protocol`_ analyzer.

Example
=======

An example of :file:`postgresql.log`.

.. code-block:: console
$ zeek -C LogAscii::use_json=T -r psql-create-insert-select-delete-drop.pcap
$ jq < postgresql.log
{
"ts": 1725368066.79174,
"uid": "C68Wxi3EStaTmxaUVl",
"id.orig_h": "127.0.0.1",
"id.orig_p": 40190,
"id.resp_h": "127.0.0.1",
"id.resp_p": 5432,
"user": "postgres",
"database": "postgres",
"application_name": "psql",
"frontend": "simple_query",
"frontend_arg": "CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);",
"success": true,
"rows": 0
}
{
"ts": 1725368066.80694,
"uid": "C68Wxi3EStaTmxaUVl",
"id.orig_h": "127.0.0.1",
"id.orig_p": 40190,
"id.resp_h": "127.0.0.1",
"id.resp_p": 5432,
"user": "postgres",
"database": "postgres",
"application_name": "psql",
"frontend": "simple_query",
"frontend_arg": "INSERT INTO t VALUES (42, 'forty-two', now());",
"success": true,
"rows": 0
}
:zeek:see:`PostgreSQL::Info` provides further details on the current output of the
:file:`postgresql.log`.

TLS
===

The PostgreSQL protocol provides a mechanism to upgrade client-server connection
to TLS. The analyzer detects this mechanism and forwards the TLS handshake to
Zeek's SSL analyzer. The ``postgresql.log`` and ``conn.log`` files will look
as follows:

.. code-block:: console
$ zeek -C LogAscii::use_json=T -r testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap
$ jq < postgresql.log
{
"ts": 1670520068.267888,
"uid": "CAcbxM1ou0N1V2cGpe",
"id.orig_h": "192.168.123.132",
"id.orig_p": 39910,
"id.resp_h": "52.200.36.167",
"id.resp_p": 5432,
"frontend": "ssl_request",
"backend": "ssl_reply",
"backend_arg": "S",
"success": true
}
$ jq < conn.log
{
"ts": 1670520068.15752,
"uid": "CAcbxM1ou0N1V2cGpe",
"id.orig_h": "192.168.123.132",
"id.orig_p": 39910,
"id.resp_h": "52.200.36.167",
"id.resp_p": 5432,
"proto": "tcp",
"service": "postgresql,ssl",
"duration": 0.931433916091919,
"orig_bytes": 786,
"resp_bytes": 4542,
...
}

0 comments on commit 7d52328

Please sign in to comment.