Selecting events from SQL Server used by Symantec DCS SQL Database
Is the Conf file format work ? Which point will this read the SQL table ? SQL Table as provided by DCS integration with SIEM solutions like Splunk, SSIM or ArcSight (broadcom.com) KB https://knowledge.broadcom.com/external/article?articleId=175333
<Input reading_integer_id> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=xxxxx; Trusted_Connection=yes; Database=db1;UID=ROUSER;PWD=xxxxx; IdType integer SQL SELECT Event_ID AS id, * FROM dbo.CSPEVENT_VW WHERE Event_ID > ? Exec delete($id); </Input>
Initial run of this gives the following error
2021-12-30 04:22:41 WARNING no routes defined! 2021-12-30 04:22:41 WARNING not starting unused module reading_integer_id 2021-12-30 04:22:41 INFO nxlog-4.10.5008-trial started 2021-12-30 04:22:50 WARNING stopping nxlog service 2021-12-30 04:22:51 WARNING nxlog received a termination request signal, exiting.
Hi Richard,
The errors on the logs you provided clearly shows that you have no route defined on the configuration file. The general configuration of Nxlog is thus
<Input reading_integer_id>
.... some input module and configuration if required.
</Input>
<Output sending_to_some_destination_eg_seim>
.... some Output module and configuration if required.
</Output>
<Route name_of_route>
Path reading_integer_id => sending_to_some_destination_eg_seim
</Route>
The routes are needed for the agent to know the intended event flow.
I hope this helps
