All Apps and Add-ons

Why does server info populate SQL App, but Windows Event Log Data does not?

Explorer

Splunk App or Microsoft SQL Server has an Overview page. I have that successfully showing the monitored SQL instance.

But if I go to the Security/Database Operations report, it fails to return results.

An indexed audit event can be found with this search: index="wineventlog" AND "logname=application"

Inspecting one of these events reveals it is missing the mssql-audit eventtype.

Splunk App or Microsoft SQL Server has a macros.conf. Line 3 reads "definition = eventtype=mssql-audit server_instance_name="$instance$"...

I regularly run unsigned Powershell scripts from this server. There are no recent errors in the Powershell errors report.

Is something malfunctioning around automatically assigning the mssql-audit eventtype to events as they are searched or indexed?

Thanks! - Chris

0 Karma

Explorer

This may be related to a mixup between a SPLUNK supported Add On for SQL, and an unsupported App for SQL that has since been discontinued.

0 Karma