I am working on Graylog being used as a SIEM platform. I am almost done with Windows, linux, CISCO Routers, Fortinet Firewalls & CheckPoint Firewalls.
However my main concern is ingesting logs from database servers or logs which are stored in Databases For example McAfee EPO logs which are stored in database or SQL server logs can it be ingested in Graylog?
Writing to the application and security logs is actually pretty easy. The hardest problem I have is trying to extract the information out of the full_message field. For example, I want to create a new field to store the SQL query. I tried grok patterns and normal expressions, but am still struggling. This is not my forte.
Here is the full_message I want to separate into separate fields.
I tried setting up nxlog for reading logs from a SQL table, but in the end ended up setting up logstash with jdbc input plugin and gelf output plugin. Works fine.