For ELK and MSSQL
Here is result (this is kibana visualize count)
Notice it, I'm not use windows event log to parse, and I drop login failed log.
Below is my Nxlog config for MSSQL.
<Input sql-err>
Module im_file
File "C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\ER*"
ReadFromLast TRUE
Exec convert_fields('UCS-2LE','UTF-8');
Exec if ($raw_event =~ /18470/) drop();
Exec if ($raw_event =~ /18456/) drop();
Exec if ($raw_event =~ /Login failed for user/) drop();
Exec if ($raw_event =~ /^(\d{4}\-\d{2}\-\d{2})(\s*)(\d{2}\:\d{2}\:\d{2}\.\d{2})(\s*)(\S+)(\s*)(.*)$/) \
{ \
$Sql_Date = $1; \
$Sql_Time = $3; \
$Sql_Function = $5; \
$Sql_Content = $7; \
to_json(); \
}
</Input>