Skip to content

sqlite.md

Latest commit

 

History

History
67 lines (54 loc) · 1.05 KB

sqlite.md

File metadata and controls

67 lines (54 loc) · 1.05 KB

logira SQLite Schema

Each run directory contains index.sqlite for fast queries:

$LOGIRA_HOME/runs/<run-id>/index.sqlite

logira uses modernc.org/sqlite (no CGO required).

Tables

runs

CREATE TABLE runs(
  id TEXT PRIMARY KEY,
  start_ts INTEGER,
  end_ts INTEGER,
  command TEXT,
  tool TEXT,
  suspicious_count INTEGER,
  meta_json TEXT
);

events

CREATE TABLE events(
  run_id TEXT,
  seq INTEGER,
  ts INTEGER,
  type TEXT,
  pid INTEGER,
  ppid INTEGER,
  uid INTEGER,
  summary TEXT,
  data_json TEXT,
  exe TEXT,
  path TEXT,
  dst_ip TEXT,
  dst_port INTEGER
);

exe/path/dst_ip/dst_port are extracted columns to accelerate common queries.

detections

CREATE TABLE detections(
  run_id TEXT,
  seq INTEGER,
  ts INTEGER,
  rule_id TEXT,
  severity TEXT,
  message TEXT,
  related_seq INTEGER
);

Indexes

CREATE INDEX idx_events_run_ts ON events(run_id, ts);
CREATE INDEX idx_events_run_type ON events(run_id, type);
CREATE INDEX idx_events_run_ts_type ON events(run_id, ts, type);