Selecting events from SQL Server used by Symantec DCS SQL Database

Post a different question
1
response

Is the Conf file format work ? Which point will this read the SQL table ? SQL Table as provided by DCS integration with SIEM solutions like Splunk, SSIM or ArcSight (broadcom.com) KB https://knowledge.broadcom.com/external/article?articleId=175333

<Input reading_integer_id>
Module im_odbc
ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=xxxxx; Trusted_Connection=yes; Database=db1;UID=ROUSER;PWD=xxxxx;
IdType integer
SQL SELECT Event_ID AS id, * FROM dbo.CSPEVENT_VW WHERE Event_ID > ?
Exec delete($id);
</Input>

Initial run of this gives the following error

2021-12-30 04:22:41 WARNING no routes defined!
2021-12-30 04:22:41 WARNING not starting unused module reading_integer_id
2021-12-30 04:22:41 INFO nxlog-4.10.5008-trial started
2021-12-30 04:22:50 WARNING stopping nxlog service
2021-12-30 04:22:51 WARNING nxlog received a termination request signal, exiting.

AskedDecember 30, 2021 - 11:07am

Answer (1)

Hi Richard,

The errors on the logs you provided clearly shows that you have no route defined on the configuration file. The general configuration of Nxlog is thus

<Input reading_integer_id>
    .... some input module and configuration if required.
</Input>

<Output sending_to_some_destination_eg_seim>
    .... some Output module and configuration if required.
</Output>

<Route name_of_route>
    Path   reading_integer_id => sending_to_some_destination_eg_seim
</Route>

The routes are needed for the agent to know the intended event flow.

I hope this helps

AnsweredDecember 31, 2021 - 3:54pm