For ELK and MSSQL

Here is result (this is kibana visualize count)

Notice it, I'm not use windows event log to parse, and I drop login failed log.

Below is my Nxlog config for MSSQL.

<Input sql-err>
    Module      im_file
    File "C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log\ER*"
    ReadFromLast TRUE
 Exec  convert_fields('UCS-2LE','UTF-8');
 Exec  if ($raw_event =~ /18470/) drop();
 Exec  if ($raw_event =~ /18456/) drop();
        Exec  if ($raw_event =~ /Login failed for user/) drop();
 Exec    if  ($raw_event =~ /^(\d{4}\-\d{2}\-\d{2})(\s*)(\d{2}\:\d{2}\:\d{2}\.\d{2})(\s*)(\S+)(\s*)(.*)$/) \
 { \
  $Sql_Date = $1; \
  $Sql_Time = $3; \
  $Sql_Function = $5; \
  $Sql_Content = $7; \
  to_json(); \
 }
</Input>

• Prev
• Next