Problems sending Microsoft SQL logs to Graylog
Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either. I attach the implemented configuration files:
nxlog.con (nxlog EE v.5.3.6735):
Panic Soft
define INSTALLDIR C:\Program Files\nxlog
#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data
define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d
Note that these two lines define constants only; the log file location
is ultimately set by the LogFile directive (see below). The
MYLOGFILE define is also used to rotate the log file automatically
(see the _fileop block).
define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log
If you are not using NXLog Manager, disable the include line
and enable LogLevel and LogFile.
include %CONFDIR%*.conf
#LogLevel INFO #LogFile %MYLOGFILE%
<Extension gelf> Module xm_gelf </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
This block rotates %MYLOGFILE% on a schedule. Note that if LogFile
is changed in managed.conf via NXLog Manager, rotation of the new
file should also be configured there.
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog> Module im_msvistalog </Input>
<Input eventlogSQL>
Module im_odbc
ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>;
Trusted_Connection=yes; DATABASE=MASTER;
PollInterval 5
IdType timestamp
SQL SELECT event_time AS 'id', f., a.name AS action_name
FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-.sqlaudit', default,
default) AS f
INNER JOIN sys.dm_audit_actions AS a
ON f.action_id = a.action_id
WHERE event_time > ?
<Exec>
delete($id);
rename_field($event_time, $EventTime);
</Exec>
</Input>
<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>
<Output udpSQL> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>
<Route eventlog_to_udp> Path eventlog => udp </Route>
<Route eventlog_to_udpSQL> Path eventlogSQL => udpSQL </Route>
nxlog.con (nxlog CEv.2.10.2150):
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension gelf> Module xm_gelf </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog> Module im_msvistalog </Input>
<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>
<Route eventlog_to_udp> Path eventlog => udp </Route>
