Gray Log / Monitoring SQL Server

Friends, good morning!

I need some help with monitoring in SQL SERVER.
I’m dumping the log on an example drive: d:\logs\graylog.

I installed the client (Filebeat) and pointed to the directory above the example and I can see the logs arriving in the graylog successfully but I can’t filter inside the “message” field

Problem: I need to create a filter with keyword (CREAT LOGIN) that appears in the field “Message” and I can’t, can you help?

Below is an example of the log in the “Message” field

    • .X Z Z �R�� ~VB�RI-�/��o_3, .^
      No. 4��� dbo
      2021 WITH PASSWORD=N’

OR is there any way to improve the result of this log in the field? Has anyone done some kind of monitoring and SQL in some other way? I tried to use winlogbeat, I didn’t have much success. It only brings windows logs…

Operating system information

Oracle Linux Server release 8.4

Package versions

Graylog 4.1.3

Hello && Welcome

I would have to say yes depending on how you configured you setup.

Your message shown above could be a couple different reasons why its like that. It could be the type of INPUT your using compared to the type of log file format sent.

What kind of file format is your SQL log files in? By chance are they an XEL File (.xel), TRC File (.trc)? Or are you using just ERRORLOG file?
Are you using a beat input?

I noticed that your path to the log file is configured for Windows? is this correct?

In our environment the MYSQL server logs are in MS event viewer so that way we just use the standard Winlogbeat format for MS and Beats INPUT on graylog.


  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: ForwardedEvents
    tags: [forwarded]

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

I also enabled more audit logging on our SQL server as shown below and may I add, windows has a lot of ways to add more auditing so be carful what you enable.

Hope that helps

Hello Friend!!
Thanks for the help… very grateful

I need to monitor these issues in SQL below … so we have enabled more audit trails and are recording these actions in a “.sqlaudit” file in the d:** directory

login and logout
User creation
password reset
disable user
enable user
Assign permissions to roles.
Add users as members to roles (admin etc)
delete user

As the connector (Winlogbeat) monitors (Security, Application, System) I found it interesting to work with another connector (Filebeat) and point to directory d:** where the “.sqlaudit” file is.

It is parameterized in this way


Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

hosts: ["***********:5044"]
date: C:\Program Files\Graylog\sidecar\cache\filebeat\data
logs: C:\Program Files\Graylog\sidecar\logs

  • windows
  • type: log
    enabled: true
    • D:\Audit_Logs*************.sqlaudit

do you monitor this kind of events through Winlogbeat?

Do you really know the difference between Nxlog and Filebeat?



Yes, the example above I showed you is my Winlogbeat config and this is my Nxlog configuration file.

            <Query Id="0" Path="Application">
                <Select Path="Application">*</Select>
                <Select Path="Microsoft-Windows-Winsock-AFD/Operational">*</Select>
                <Select Path="Microsoft-Windows-Wired-AutoConfig/Operational">
                <Select Path="Microsoft-Windows-Wordpad/Admin">*</Select>
                <Select Path="Windows PowerShell">*</Select>

To help you further here is some more information.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.