Is it possible to add SQL logs without server add-...

mhpapa62 · ‎12-10-2019

Can I add SQL logs without the SQL server add-on?
I need to add SQL logs. I've requested to do this on Splunk and also read many Splunk docs,
but all of them refer to the add on.

We don't have it installed and looks like we have no plans to do it in the near future.
So, in the meantime, how can I add SQL logs into Splunk 8.0.0?

gcusello · ‎12-11-2019

Hi @mhpapa62,
if you're speaking of SQL Server logs, they are in the Windows Event Viewer, so you can take this and search for the specific SQL Server EventCodes.
The way to take them are different: use the Windows Add-on it's the easiest way, but you can take them also by Splunk Enterprise [Settings -- data Inputs -- Remote event log collections] but this method uses WMI and needs a domain account (I don't like it!).

It's different if you want to extract data from the database: the easiest way is to use DB-Connect App, otherwise, you could schedule a query on the DB that writes results in a file and then read these files using the Splunk Universal Forwarder.

Ciao.
Giuseppe

mhpapa62 · ‎12-11-2019

Thank you Giuseppe. Just a question, are you using Splunk 8? I can't find [Settings -- data Inputs -- Remote event log collections] on Splunk 8 settings. Just [Data, Report acceleration Summaries / Source Types].

gcusello · ‎12-11-2019

Hi @mhpapa62,,
yes, but WMI is available only on Windows machines, so you should use an Heavy Forwarder instaled on Windows Operative System.

Ciao.
Giuseppe

Is it possible to add SQL logs without server add-on?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application