Re: Reading MSSQL logs into splunk

rgtsplunk · ‎09-25-2014

We are trying to read log files from Microsoft SQL servers. We have installed forwarders on the servers to send data to our indexers. The data is getting through to our indexers, but nothing is going into splunk. It appears that the mssql log files are binary files, so splunk will not index them. How can we get them into text and into splunk for searching?

ahall_splunk · ‎09-25-2014

Which specific log files are you trying to read?

The MSSQL "transaction log" files are binary and are not splunkable. If you are after audit logs, then this needs to be configured within the MSSQL Management Console - at which point you choose the file location or Windows Event Log streams.

You can use the Splunk App for Microsoft SQL Server - it contains a specific TA for doing the SQL Server logs (both audit and functional aspects).

rgtsplunk · ‎09-25-2014

I did download and install the Splunk App for Microsoft SQL Server, but did not see anything in the TA that would read the log files.

It also said that this app requires Splunk add-on for Microsoft Windows and Splunk add-on for Microsoft Powershell. We do not need the Microsoft Windows events, as they are being read by a different method already, and I do not know what Microsoft Powershell does.

ahall_splunk · ‎09-25-2014

Thats because the system log files and the audit logs files (if you follow the instructions) are provided within the Windows Event Logs - the TA and app contain specific decodes for those logs so you can recognize them.

Reading MSSQL logs into splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation