Introduction
The tags beginning with db.mssql identify events generated by Microsoft SQL Server.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as db.mssql. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
|---|---|---|---|
db | mssql |
... |
... |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| tag1 | db.mssql.events |
How is the data sent to Devo?
Use the info in the How is the data sent to Devo? section of the internal doc to fill this section with the required method
Event source → Relay → Devo
Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Add all the rules following the format of the example below:
Relay rule 1 - Versa NGFW Access
Source Port → 13030
Source Data → (.*)accessLog, applianceName=(.*)
Target Tag → network.versa.ngfw.access
Select the Stop Processing and Sent without syslog tag checkboxes
Relay rule 2 - name
...
Event source → Collector → Devo
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Collector article.
Logs generated by ... are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process. Use this if the collector is not documented
Other (Syslog):
You can forward logs generated by Company using any Syslog drain (for example, Syslog-ng). Learn more about how to send Company logs and their structure here.
Log samples
The following are sample logs sent to each of the db.mssql data tables. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
db.mssql.events
2021-09-20 09:59:21.266 localhost=127.0.0.1 db.mssql.events.na.app.logs.host[asdfg1233].ip[10.000.144.00]:{"EventTime":"2021-09-20 05:59:20","Hostname":"cpcwvibmosdp01.americas.manulife.net","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":33205,"SourceName":"MSSQLSERVER","Task":4,"RecordNumber":1375475280,"ProcessID":0,"ThreadID":0,"Channel":"Application","Message":"Audit event: audit_schema_version:1\nevent_time:2021-09-20 09:59:20.4456064\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:198\nserver_principal_id:275\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.101.128.16\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:D1496F9F-948B-463B-8FF4-B23D88E1E9F7\nsession_server_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_sid:010500000000000515000000d8396e0063269a4305684862f9080b00\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:CPCWVIBMOSDP01\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>4096</packet_data_size><address>10.101.128.16</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:SolarWinds.InformationService.ServiceV3@domain-Orion\n.","Category":"Logon","EventReceivedTime":"2021-09-20 05:59:20","SourceModuleName":"eventlog_sql","SourceModuleType":"im_msvistalog","SyslogFacilityValue":13,"SyslogSeverityValue":5,"cost_center":"0000","configuration_item":"CI00000584436","team_email":"ibmsqldba@test.com"}
And this is how the log would be parsed:
Field | Value | Type | Extra field | Source field name |
|---|---|---|---|---|
eventdate |
|
| ||
environment |
|
|
| |
application |
|
|
| |
clon |
|
|
| |
hostname |
|
| ||
user |
|
| ||
eventTime |
|
| ||
hostname2 |
|
| ||
keywords |
|
| ||
eventType |
|
| ||
severityValue |
|
| ||
severity |
|
| ||
eventID |
|
| ||
sourceName |
|
| ||
task |
|
| ||
recordNumber |
|
| ||
processID |
|
| ||
threadID |
|
| ||
channel |
|
| ||
message |
|
| ||
category |
|
| ||
eventReceivedTime |
|
| ||
sourceModuleName |
|
| ||
sourceModuleType |
|
| ||
syslogFacilityValue |
|
| ||
syslogSeverityValue |
|
| ||
costCenter |
|
| ||
configurationItem |
|
| ||
teamEmail |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
rawMessage |
|
| ✓ |