Hi guys,
First of all, appreciated any tip or advice in this matter.
Do you guys know if it’s possible to gather data from SQL server tables to Graylog? to be more clear, I have a third-party application that stores a lot of security events in some tables, and for a strange reason, this information are not sent via Syslog “SIEM” integration, I found out that the developer decided to not do it, so, the best way that I could retrieve this data will be accessing the database directly.
What would be the best approach in your opinion? for instance, execute a SQL script to dump the data in a folder and use a “parser” like filebeat to collect the data and send it to Graylog?
Or maybe we do have a better approach, like using some Graylog plugin to connect directly to the DB?
If you have a macro view of this scenario, or if you already have been through this, I would be very grateful to hear about it and after that, do my own research to fill the technical gaps.
I’m starting to feel a bit lost in finding a solution or a simple path to follow, so I thought to open this topic to hear the opinion from the Graylog community.
Thank you all in advance.
Ps: I already have searched for this subject on the forum topics, but I didn’t find a similar situation of mine.
Graylog receives data, as for getting a connection to a SQL data base you may need something like Zabbix. Grafana, LibreNMS, etc…
Depends, if you execute a dump I don’t know how the log shipper can read those tables in the .sql file.
If the SQL server in questioned is on Windows OS then I would use something like MetricBeat and/or Winlogbeat depending what data you want to trend. I have actually had old dump log files and used Nxlog to scan the whole file and send it to Graylog. Most Beat/Nxlog shipper have setting to scan log files from the beginning.
With all that being said, take a look at these posts.
So, let me try to explain better, I have a DLP solution that does not export all the security events through Syslog, So I was thinking in collect this data directly from the DB tables.
From the information I gathered from my research I have seen that this is not a usual task, so I’m very interested in all the approaches that I could get, like exporting the table information to a txt (just as an example) and using another application like beat/Nxlog as you have told me, to get the information and send to Graylog.
And answering your question, yes, it is an application that runs over a Windows OS and the database is an MSSQL instance.
The data that I want its things like the name of the endpoint, name of the user, date and time, name of the file, file operation, and so on, this event data is very rich to some behavior analysis and alerting that I want to try to use Graylog to process this information.
Thanks again for the help, and I will read the posts that you have indicated.
