Hello,
Our Windows servers have the universal forwarder installed and it is working just fine. However, we also have Windows Servers with SQL installed and we are trying to monitor the SQL Audit. We have configured the SQL Audit to send to Windows Event Logs' Application Log and we are now getting both SQL Audit and WinEvent in the same index. However, I want to split it so that SQL logs can be on a separate index than Windows logs.
Currently this is what I have setup on the UF:
inputs.conf
[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 33205
index = mssql
renderXml=false
sourcetype = mssql:winevent
source = mssql:audit
[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
blacklist1 = 33205
index = windows
renderXml=false
[WinEventLog://Security]
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = windows
renderXml=false
[WinEventLog://System]
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false
###### Windows Update Log ######
[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
index = windows
outputs.conf
[tcpout]
defaultGroup = all_heavy_forwarders
[tcpout:all_heavy_forwarders]
server = <<IP List>>
forceTimebasedAutoLB=true
autoLB = true
I put 2 application stanzas to try and split it at the UF and have different sourcetypes/indexes from that point forward, however, it doesn't seem to work.
If I run a TCP dump, there are zero logs with EventCode 33205 that make it to the heavy forwarders. However, the rest of the logs do make it. Additionally, if I disable the first inputs stanza, then I get 33205 events.
Add following in the forwarder.
In props.conf:
[WinEventLog:Application]
TRANSFORMS-sqllogs=sqllogs
In transforms.conf:
[sqllogs]
REGEX=(?m)^EventCode=33205
DEST_KEY =_MetaData:Index
FORMAT = mssql
In inputs.conf, just have one monitoring stanza for WinEventLog://Application, like this
[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false
Add following in the forwarder.
In props.conf:
[WinEventLog:Application]
TRANSFORMS-sqllogs=sqllogs
In transforms.conf:
[sqllogs]
REGEX=(?m)^EventCode=33205
DEST_KEY =_MetaData:Index
FORMAT = mssql
In inputs.conf, just have one monitoring stanza for WinEventLog://Application, like this
[WinEventLog://Application]
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
renderXml=false
Looks like it still doesn't parse it out, it still keeps going to the original index. I might try to do it at the heavy forwarder level and see if I split it into two stanzas and have one transforms stanza do a negative lookahead to remove the logs from one and then a second transforms to include only those logs.
Try the same props and transforms on your heavy forwarder.
Yes! Thank you!