Hello @gsmith
Let me explain better to you.
Curious about this statement,
I don’t know if you remember, I have opened a topic before.
And you even helped me to understand better my choices, anyway, the “logs” that I’m talking about are literally data that I extract from MSSQL tables, long story short, I need to get better security event data from a DLP solution and the only way that I was able to do that it’s done this “dirt way” let’s say that.
Following the ideas that you and many have explained to me, I started to write a Powershell script to dump that database data into a file and let Filebeat ship to Graylog.
$SQLServer = "1.1.1.1\server"
$db = "dummy_data"
$user = "dummyuser"
$pwd ="dummypass"
$selectdata = "SELECT TOP 5
[date_time]
,[pc_name]
,[user_name]
,[file_name]
,[operation]
,[action]
,[source_type]
,[destination_type]
,[policy_name]
,[file_extension]
,[file_type]
,[file_size]
,[source_path]
,[destination_path]
,[application_name]
,[data_categories]
,[to_safe_zone]
,[is_tagged]
,[sensitive_content]
,[suspicous]
,[id_user]
,[id_pc]
,[id_application]
,[category_extension]
,[id_policy]
,[policy_bound]
,[module]
,[policy_restriction]
FROM [dummy_data].[pbi].[data_security_view] ORDER BY date_time DESC"
$dump = Invoke-Sqlcmd -ServerInstance $SQLServer -Username $user -Password $pwd -Database $db -Query $selectdata
for ($count=0; $count -lt $dump.Count; $count++)
{
echo "$("pc_name="+$dump[$count].pc_name) $("user_name="+$dump[$count].user_name) $("file_name="+$dump[$count].file_name) $("operation="+$dump[$count].operation)" >> "C:\Program Files\Management Console\Logs\dummy_logs.log"
}
I know this is not pretty, but it’s a start, so, as you can see in my ugly code after I perform a select I dump the output into a text file, and the file looks like this.
So, it’s basically that.