Importing SQL flat files are not displaying properly

We have having with SQL logs being displayed properly in graylog. Whenever we get logs from SQL server, it shows as like:

B a c k u p V i r t u a l D e v i c e F i l e : : T a k e S n a p s h o t

All text coming from our SQL server looks like this, with the space in between each letter. However, when I copy the text out to say work or notepad++, it copies just fine without the spacing.

BackupVirtualDeviceFile::TakeSnapshot

We are using graylog 5 with sidecar 1.3.0. We are also using filebeats to pull the file. The sql file is ERRORLOG that we are pulling from. Have no other problems pulling from any other flat files.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["x.x.x.x:yyyy"]
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
 - windows
filebeat.inputs:
- type: log
  enabled: true
    - path to ERRORLOG

Hey @Chase
Not sure what going on , but have you tried to enable mysql module see something here about it .

By chance what type of file extension are SQL logs?

Does this apply to MSSQL as well?

Thanks,

Chase

A couple of thoughts:

• You could try the new type of filestream rather than log

• you seem to be missing paths:…

...
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - <Path to ERRORLOG>
...

• Your data and logs seem odd… in that I haven’t seen it done before with a variable and the path…

  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs

Side note - I cleaned up your code using the </> forum tool so the look like code and have readable indentation…

I’ve tried filestream, and it is the same.

Thanks.

Chase

There are other parts to my post…?