Splunk Enterprise

SPLUNK SQL AUDIT

edgarsilva01
Path Finder
Hello

I have a problem with some .sqlaudit files

These files are being stored in the following path Z: \ audit \
Install a forwarder but Splunk doesn't seem to recognize these files.

Use the Splunk app add-on for SQL Servers, and only be logs of Performance.

Does anyone know how I can get the .sqludit files?
Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
sqlaudit files are not text so they will not be indexed by Splunk. You will need to use a third-party tool to export the sqlaudit file to a text file that can be indexed.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

kamila44cw
Loves-to-Learn Lots

Hi edgarsilva01,

Di you manage to find a solution for this. I am having the same problem. My environment was already setup by someone else, and when I do a search with index=sql I get 10 source which include the ERRORLOG files in MSSQL\Log\ folder and another source called "Index SQL CDS Server Audit", not sure where this source is coming from.

I cannot see any logs originating from the .sqlaudit file

 

Kind Regards..

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

edgarsilva01
Path Finder

Hi Soutamo,

 


The link process is already done, however the output of the files is .sqlaudit and in the same way Splunk does not index them 😞

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

does this https://stackoverflow.com/questions/48345774/output-sqlaudit-file-results-to-text-file-tsql help you? Unfortunately I haven’t any ms sql where to test this. 

r. Ismo

0 Karma

richgalloway
SplunkTrust
SplunkTrust
sqlaudit files are not text so they will not be indexed by Splunk. You will need to use a third-party tool to export the sqlaudit file to a text file that can be indexed.
---
If this reply helps you, Karma would be appreciated.
0 Karma

edgarsilva01
Path Finder

Hi Richgalloway

 

What process do you recommend?

 

Regards

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...