MSSQL LOGS FORWARDING ISSUE

43 views
Skip to first unread message

wazuh user

unread,
Mar 12, 2026, 2:33:58 AM (4 days ago) Mar 12
to Wazuh | Mailing List
Hi wazuh community,

Currently i have issue with mssql logs forwarding to wazuh. my situation is :

- only error logs are available to be forwarded by mssql server
- query logs are only readable from mssql server, they are not in txt or .log format
- syslog is not installed in the server

If anyone that have expertise or experience in this issue, appreciate your help.

Thankyou.

Regards,
Wazuh Toddler

infosec

unread,
Mar 12, 2026, 3:22:31 AM (4 days ago) Mar 12
to wazuh user, Wazuh | Mailing List
Hey,

Regarding this, you have to select what all logs to be audited and you don't try t.t logs wont be properly written, tey forwarding to event viewer them forward from there, let me know if you have any questions, happy to help




--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/ff1b087e-f3ac-4aa6-b8aa-93e2a01c1954n%40googlegroups.com.

infosec

unread,
Mar 12, 2026, 4:46:19 AM (4 days ago) Mar 12
to wazuh user, Wazuh | Mailing List
Sure no problem, we connect by 6pm IST, let me know if this works for you, will schedule it accordingly 

On Thu, 12 Mar, 2026, 1:56 pm wazuh user, <wazuhu...@gmail.com> wrote:
Hi,

yes i would like to know more in detail, since i have little to no experience with mssql logging. Your help is much appreciated.

Thank you

Md. Nazmur Sakib

unread,
Mar 12, 2026, 4:58:53 AM (4 days ago) Mar 12
to Wazuh | Mailing List

Hello,

You can use the Application event channel to collect MSSQL logs 

1.png


Now you can write rules like this to see those logs in the Dashboards.

<group name="windows,">

  <rule id="100103" level="6">

    <if_sid>61070</if_sid>

    <field name="win.system.eventid">^33205</field>

    <description>MS SQL event</description>

  </rule>

</group>



Check this document to learn more about writing custom rules:

Rules Syntax
Custom rules



Let me know if you need any further help on this.

wazuh user

unread,
Mar 12, 2026, 5:00:15 AM (4 days ago) Mar 12
to infosec, Wazuh | Mailing List
Hi,

yes i would like to know more in detail, since i have little to no experience with mssql logging. Your help is much appreciated.

Thank you

On Thu, Mar 12, 2026 at 3:22 PM infosec <infosecr...@gmail.com> wrote:

wazuh user

unread,
Mar 13, 2026, 12:24:32 AM (3 days ago) Mar 13
to Md. Nazmur Sakib, Wazuh | Mailing List
Thankyou for the sharing, does later the logs automatically come in with the windows OS logs ? or we need to monitor certain file path

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/-tz8EnOCZFA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/7aced1ca-79ec-4312-817a-a9e60b8d5b1fn%40googlegroups.com.

Md. Nazmur Sakib

unread,
Mar 13, 2026, 12:50:32 AM (3 days ago) Mar 13
to Wazuh | Mailing List

Once the logs go to the Application event channel. Wazuh can collect the logs from the Application event channel.

By default, the Windows endpoint agents have this in the ossec.conf

<localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

  </localfile>


To collect the Application event channel logs.

So you do not need to mention any other path in the configuration.

You will only need to make custom rules to get alerts from those logs.


Reply all
Reply to author
Forward
0 new messages