Not able to get MS-SQL Server Error-log events - WAZUH

[Milind Trivedi]

Hi Team,

 

Our platform team has installed/configured WAZUH in our non-production environment to perform POC. As per their observation, looks like client is not able to fetch or not fetching data from the Microsoft SQL Server 2014 Error Log. As a result, we are not getting any alert for SQL Server Error-log events. Though, we are not observing any error or problem.

 

We are having Microsoft SQL Server 2014 Enterprise Edition over Windows Platform. I have received snippet which our team has used for the configuration as shown below.

 

<localfile>

    <location>C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG</location>

    <log_format>syslog</log_format>

</localfile>

 

Is it possible or are we missing any configuration? It will be great help if you can able to provide any details on this matter. Thanks in advance.

 

Thanks,

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

[Jesus Linares]

Hi Milind,

Probably, the agent is gathering the events and sending them to the manager. But, in the manager side, there are no rules to trigger the alert. So, you will not see anything in the alerts.json / Kibana.

You can troubleshoot the issue following these steps:

1. In the agent side, review if there are errors in the ossec.log file. Also, check if there is a log from logcollector specifying that it is monitoring the MS-SQL file.

2. Be sure that the MS-SQL file is getting new events.

3. It is possible that the MS-SQL events are not generating alerts because there is no rule for the events (https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0295-mysql_rules.xml) or the decoder is not working. You can enable the log_all setting to debug it. In this way, every event will be sent to /var/ossec/logs/archives/archives.json. If you see in that file the MS-SQL events, it means that your agent is properly configured and the ruleset is not capturing the event to generate the corresponding alert.

4. If you have the MS-SQL events in the archives.json file, just copy the full_log field of an event to the testing tool: /var/ossec/bin/ossec-logtest. You must see the phase 3 (alerting), otherwise, the decoders/rules are not working.

If you share the events we can help you.

I hope it helps.

Regards,

Jesus Linares.

[Milind Trivedi]

Unfortunately we’re not successful yet. Here are our observations as highlighted inline in yellow colour background.

 

Thanks and looking forward for your help in this matter.

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Jesus Linares
Sent: 25 January 2019 03:09
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Not able to get MS-SQL Server Error-log events - WAZUH

 

Hi Milind,

 

Probably, the agent is gathering the events and sending them to the manager. But, in the manager side, there are no rules to trigger the alert. So, you will not see anything in the alerts.json / Kibana.

 

You can troubleshoot the issue following these steps:

 

1. In the agent side, review if there are errors in the ossec.log file. Also, check if there is a log from logcollector specifying that it is monitoring the MS-SQL file.

<Observation>As per our platform team, there is no error in the ossec.log file. It has entry of “analysing the file”.</Observation>

2. Be sure that the MS-SQL file is getting new events.

<Observation>Yes, we do have new events. To start with, we haven’t kept any filter to flow all the events/logs.</Observation>

3. It is possible that the MS-SQL events are not generating alerts because there is no rule for the events (https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0295-mysql_rules.xml) or the decoder is not working. You can enable the log_all setting to debug it. In this way, every event will be sent to /var/ossec/logs/archives/archives.json. If you see in that file the MS-SQL events, it means that your agent is properly configured and the ruleset is not capturing the event to generate the corresponding alert.

<Observation>We have verified that there is rule file and have tested with the decoder command. We have already tried with the log-all option. We don’t see any event in the “archives.json” file. Provided URL is in reference of mySQL, is it identical to MS-SQL?</Observation>

4. If you have the MS-SQL events in the archives.json file, just copy the full_log field of an event to the testing tool: /var/ossec/bin/ossec-logtest. You must see the phase 3 (alerting), otherwise, the decoders/rules are not working.

<Observation>To make it simple from initial, we have kept phase 3 only. We are not getting any MS-SQL error to ossec server.</Observation>

 

If you share the events we can help you.

<Observation>Please let us know as we don’t see any error or trouble-point, which exact file or log you would like to validate?</Observation>

 

I hope it helps.

 

Regards,

Jesus Linares.

On Thursday, January 24, 2019 at 8:44:13 AM UTC+1, Milind Trivedi wrote:

Hi Team,

 

Our platform team has installed/configured WAZUH in our non-production environment to perform POC. As per their observation, looks like client is not able to fetch or not fetching data from the Microsoft SQL Server 2014 Error Log. As a result, we are not getting any alert for SQL Server Error-log events. Though, we are not observing any error or problem.

 

We are having Microsoft SQL Server 2014 Enterprise Edition over Windows Platform. I have received snippet which our team has used for the configuration as shown below.

 

<localfile>

    <location>C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG</location>

    <log_format>syslog</log_format>

</localfile>

 

Is it possible or are we missing any configuration? It will be great help if you can able to provide any details on this matter. Thanks in advance.

 

Thanks,

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd2f9e34-f09b-4a98-95da-f89a95dd1ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

Hi Milind,

We don’t see any event in the “archives.json” file

If you enabled the logall option in the manager, you must see all the events received in the manager regardless if there are rules for that kind of event. So, it is possible that the agent is not reading properly the file. Is it the file created before the agent starts?.

Could you share some logs from this file: C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG?.

Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jesus Linares]

Hi Milind,

Did you finally resolve your issue?.

Regards.

[Milind Trivedi]

Hi Jesus,

 

Unfortunately no, we are stuck at the same point. We are having problem into the Microsoft SQL Server Error-log related event capturing. Rest is working as expected (e.g. capturing Windows OS events etc). You have asked me to upload MS SQL Error-log file but I am not getting post or reply option post logged into the google-group portal. Do you have any option/feasibility where we can share the window with you and show you the issue online? Let us know, how we can proceed further?

 

We really appreciate your follow-up on this matter. Thanks

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

Hi Milind,

 

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd2f9e34-f09b-4a98-95da-f89a95dd1ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8a943a6a-f9b3-4913-980c-68048629c4d7%40googlegroups.com.

[Milind Trivedi]

Hi Jesus,

 

Is it the file created before the agent starts?

Yes, as MS SQL Server will be online continuously. Under very specific reason/s or requirement/s) it will requires restart.

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/LNXP265MB1659A09488AA4914E96666D6ED6D0%40LNXP265MB1659.GBRP265.PROD.OUTLOOK.COM.

[Jesus Linares]

Hi Milind,

Agent verification

You should see an event like the following one in the ossec.log of your agent:

2019/02/04 09:42:19 ossec-logcollector: INFO: (1950): Analyzing file: '<path_to_your_file>'.

Also, review if there are errors. Please, attach the ossec.log of the agent if possible.

Ruleset verification

Please, verify that your events generate an alert with a level higher or equal than 3. You can use the logtest tool. Here an example:

# /var/ossec/bin/ossec-logtest
2019/02/04 09:47:47 ossec-testrule: INFO: Started (pid: 3166).
ossec-testrule: Type one log per line.


2019-01-17 20:38:25.14 example     Error: 35262, Severity: 17, State: 1.


**Phase 1: Completed pre-decoding.
       full event: '2019-01-17 20:38:25.14 example     Error: 35262, Severity: 17, State: 1.'
       timestamp: '(null)'
       hostname: 'localhost'
       program_name: '(null)'
       log: '2019-01-17 20:38:25.14 example     Error: 35262, Severity: 17, State: 1.'

**Phase 2: Completed decoding.
       decoder: 'sqlserver'
       sqlserver.error: '35262'
       sqlserver.severity: '17'
       sqlserver.state: '1'


**Phase 3: Completed filtering (rules).
       Rule id: '85009'
       Level: '3'
       Description: 'SQL Server error.'
**Alert to be generated.

# /var/ossec/bin/ossec-logtest
2019/02/04 09:48:34 ossec-testrule: INFO: Started (pid: 3212).
ossec-testrule: Type one log per line.


2019-01-17 20:38:25.26 example     Starting up database 'db_example'.


**Phase 1: Completed pre-decoding.
       full event: '2019-01-17 20:38:25.26 example     Starting up database 'db_example'.'
       timestamp: '(null)'
       hostname: 'localhost'
       program_name: '(null)'
       log: '2019-01-17 20:38:25.26 example     Starting up database 'db_example'.'


**Phase 2: Completed decoding.
       decoder: 'sqlserver'
       sqlserver.dbname: 'db_example'


**Phase 3: Completed filtering (rules).
       Rule id: '85001'
       Level: '3'
       Description: 'Starting up database.'
**Alert to be generated.

There are only 10 rules for MS SQL (https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0440-ms_sqlserver_rules.xml), so maybe some events will no generate an alert. You can modify the main rule (https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0440-ms_sqlserver_rules.xml#L12) to generate always an alert just changing the level to 3:

1. Add to /var/ossec/etc/rules/local_rules.xml the following rule:

  <rule id="85000" level="3" overwrite="yes">
    <decoded_as>sqlserver</decoded_as>
    <description>SQL Server messages.</description>
  </rule>

2. Restart the manager.

Now, every MS SQL event must generate an alert (if it is properly decoded https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0395-sqlserver_decoders.xml).

Elasticsearch

If you don't see the event in Kibana, maybe they are not indexed due to some error in Elasticsearch. Can you review the Elasticsearch logs?.

I hope it helps.

Regards.

Hi Milind,

 

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd2f9e34-f09b-4a98-95da-f89a95dd1ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8a943a6a-f9b3-4913-980c-68048629c4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jesus Linares]

Hi Milind,

I replied to the email in the wazuh-list. I tested some of the events of your file and some of them are generating alerts. So, this is how I would debug it:

• Check the ossec.log in the agent. Enable logall in the manager to review every raw event that the manager receives.
• If the manager receives the event, review if you need to create more rules for capturing all the events. I recommend increasing the level in the main rule (explained in wazuh-list).
• If you are sure that you are receiving the events correctly, and they generate alerts, review Elasticsearch in order to find indexing errors.

I think you should be able to upload files in wazuh-list. Let's talk there.

Regards,

Jesús Linares 
IT Security Engineer — Wazuh, Inc.

[Milind Trivedi]

Thank you Jesus for the update / details. We’ll follow the provided steps/validations and update you tomorrow. As our platform team is left for the day. As per my limited understanding, it looks like problem is happening with live SQL Error-log file which don’t have extension (As shown highlighted in the screen-shot). In this live error log file SQL Server is keep logging the details. Old or previous files are having number extension.  I am just speculating and not sure if that is the problem area.

 

 

You should see an event like the following one in the ossec.log of your agent:

2019/02/04 09:42:19 ossec-logcollector: INFO: (1950): Analyzing file: '<path_to_your_file>'.

Yes I guess, we can see similar. We’ll update more on this.

 

Also, review if there are errors. Please, attach the ossec.log of the agent if possible.

Hard part is, we don’t see any error in the ossec.log file. We’ll try to share it with you (last time due to high file size we have avoided to share with you).

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

 

[Jesus Linares]

Hi Milind,

The ERRORLOG file has this codification: UCS-2 LE BOM. I'm checking if logcollector is able to read that kind of codification.

Thanks.

Hi Milind,

 

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd2f9e34-f09b-4a98-95da-f89a95dd1ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8a943a6a-f9b3-4913-980c-68048629c4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jesus Linares]

Hi Milind,

It looks like the problem is related to the file codification. I created an issue and it will be fixed as soon as possible: https://github.com/wazuh/wazuh/issues/2584.

Meanwhile, you could review if it is possible to change the file codification from MS SQL.

I hope it helps.

Regards,

Jesus Linares.

[Milind Trivedi]

Hi Jesus,

 

Thank you for the update. We’ll wait for the next update from your side. As per my understanding, there is no direct option or way to handle SQL Server Error Log file codification. Error log management is internal and link with the system database. In general, it is not recommended to do non-standard change in the system database.

Hi Milind,

 

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cd2f9e34-f09b-4a98-95da-f89a95dd1ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8a943a6a-f9b3-4913-980c-68048629c4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/LNXP265MB1659A09488AA4914E96666D6ED6D0%40LNXP265MB1659.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ed789d6-2ea6-4dc1-89f5-be4bd5f26fdd%40googlegroups.com.

[Milind Trivedi]

Hi Jesus / Team,

 

Do we have any luck/progress on case# 2584?

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Milind Trivedi
Sent: 13 February 2019 16:54
To: Jesus Linares <je...@wazuh.com>; Wazuh mailing list <wa...@googlegroups.com>
Cc: Ashesh Trivedi <ashesh....@contis.com>
Subject: RE: Not able to get MS-SQL Server Error-log events - WAZUH

 

Hi Jesus,

 

Thank you for the update. We’ll wait for the next update from your side. As per my understanding, there is no direct option or way to handle SQL Server Error Log file codification. Error log management is internal and link with the system database. In general, it is not recommended to do non-standard change in the system database.

 

You should see an event like the following one in the ossec.log of your agent:

2019/02/04 09:42:19 ossec-logcollector: INFO: (1950): Analyzing file: '<path_to_your_file>'.

Yes I guess, we can see similar. We’ll update more on this.

 

Also, review if there are errors. Please, attach the ossec.log of the agent if possible.

Hard part is, we don’t see any error in the ossec.log file. We’ll try to share it with you (last time due to high file size we have avoided to share with you).

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

 

 

Contis Group Limited is registered in England, company number 06499022 Registered office; Navigation House, Belmont Wharf, Skipton, North Yorkshire, BD23 1RL. 
This e-mail is intended solely for the addressee, is strictly confidential and may also be legally privileged. If you are not the addressee you may not read, print, copy, re-transmit, store 
or rely on it or on any file attached to it. Instead, please e-mail it back to the sender and then immediately permanently delete it. 
Contis Group accepts no responsibility for viruses found in this e-mail or in any attachment. This e-mail and any attachment is protected by copyright and any  unauthorised copying 
or use is actionable. We reserve the right to monitor all emails and all other forms of communication whether electronic or otherwise either  sent by or received by employees.

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Milind Trivedi
Sent: 04 February 2019 14:04
To: Jesus Linares <je...@wazuh.com>; Wazuh mailing list <wa...@googlegroups.com>
Cc: Ashesh Trivedi <ashesh....@contis.com>
Subject: RE: Not able to get MS-SQL Server Error-log events - WAZUH

 

Hi Jesus,

 

Unfortunately no, we are stuck at the same point. We are having problem into the Microsoft SQL Server Error-log related event capturing. Rest is working as expected (e.g. capturing Windows OS events etc). You have asked me to upload MS SQL Error-log file but I am not getting post or reply option post logged into the google-group portal. Do you have any option/feasibility where we can share the window with you and show you the issue online? Let us know, how we can proceed further?

 

We really appreciate your follow-up on this matter. Thanks

 

Milind Trivedi

Sr. Database Administrator

m: +91 98867 49085   |   w:  www.contis.com

 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/LNXP265MB16594C7C8B45C9F63086F521ED660%40LNXP265MB1659.GBRP265.PROD.OUTLOOK.COM.