Hi,
I am trying to send SQL DB logs to Graylog. Does anybody has an idea on how to send DB logs to Graylog?
Thanks
If it’s just a file - then you can use Filebeat.
It’s the table we have that the app writes into.
I can suggest 2 ways
- Output table content to file, I believe your DB engine allows that. Then get the data from the file via Filebeat. Also you can check available Graylog Inputs and what kind of API your DB supports and find matching.
- Avoid file creation, so some script will query table periodically and send data directly to Graylog using UDP/TCP inputs.
Thanks @zoulja for the suggestions,I will try both the options.Please let me know if there is any guide or documentation on sending DB logs to Graylog.
Hi @zoulja ,I tried the second option.I am using nxlog.conf to send the DB logs to Graylog. Below is the nxlog.conf.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Input mssql>
Module im_file
File "D:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG"
Exec convert_fields('UCS-2LE','UTF-8'); if $raw_event == '' drop();
</Input>
<Input reading_integer_id>
Module im_odbc
ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=MSSQL-HOST; Trusted_Connection=yes; Database=TESTDB
IdType integer
SQL SELECT RecordID AS id, * FROM dbo.test1 WHERE RecordID > ?
Exec delete($id);
</Input>
<Output graylog>
Module om_tcp
Host Server IP
Port XXXX
OutputType GELF TCP
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>
<Route mssql>
Path mssql => graylog
</Route>
<Route reading_integer_id>
Path reading_integer_id => graylog
</Route>
I have created 2 inputs,1 to send the DB error logs and 2 to send the DB Table logs.
I am getting the below error in nxlog
2019-12-04 17:16:29 ERROR Invalid OutputType 'GELF TCP' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39
2019-12-04 17:16:29 ERROR module 'graylog' has configuration errors, not adding to route 'mssql' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46
2019-12-04 17:16:29 ERROR route mssql is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46
2019-12-04 17:16:29 WARNING no routes defined!
2019-12-04 17:16:29 WARNING not starting unused module mssql
2019-12-04 17:16:29 WARNING not starting unused module graylog
Please suggest what should be the output type for sending DB logs.
ThanksNever tried nxlog, but I believe Input type must be Beats, not GELF
Thank you.I will try with Beats.