MSSQL logs stop reaching Manager and not appearing on Dashboard

36 views
Skip to first unread message

areeeba fatima

unread,
Apr 2, 2026, 1:13:02 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Hi everyone, 
I am integrating MSSQL audit logs with Wazuh. Our DB team has configured SQL Server Audit to write logs into the Windows Application Event Log, and on the Wazuh agent side I am collecting them using EventChannel in ossec.conf:
I am already successfully receiving standard login events (Event IDs 18456, 18454, 18453) through the Windows Event Channel, and these show up on my dashboard correctly. 
The Problem: I am now trying to ingest Event ID 33205 (MSSQL Audit Records). These logs show up in my manager's archives.log when I enable logall, but they never appear on the Wazuh Dashboard or in alerts.json.
Furthermore, even in archives.log, the 33205 logs seem to come in for a few minutes and then stop entirely, even though the database is still active.
So in summary:
Logs were visible briefly in archives.log but then stopped
Currently logs are not consistently reaching the backend
No logs are visible on the dashboard
Custom decoders and rules are working correctly in wazuh-logtest but not in real flow
On checking the manager, I observed the total queue size reaching around 131072 and event count continuously increasing, which makes me suspect queue saturation or event dropping due to high log volume.  
Could you please confirm if this is the correct and expected set of logs that should be received from MSSQL auditing in Wazuh?
I want to ensure that I am collecting the correct type of logs and that my MSSQL audit configuration is aligned with best practices. 
Also, could this issue be due to queue saturation on the Wazuh manager? What would be the recommended way to handle high-volume MSSQL audit logs so they consistently reach the manager and appear on the dashboard?    
I have also added screenshots for your consideration.
Thank you.
IMG-20260330-WA0010.jpg
IMG-20260330-WA0009.jpg
IMG-20260330-WA0043.jpg
IMG-20260330-WA0011.jpg
IMG-20260330-WA0046.jpeg
IMG-20260330-WA0037.jpg

Bony V John

unread,
Apr 2, 2026, 1:17:21 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Hi ,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Apr 2, 2026, 2:24:15 AM (5 days ago) Apr 2
to Wazuh | Mailing List

Hi,

I went through your screenshot and the details you shared. Let’s start from the agent side. You mentioned that the event queue is increasing on the manager. Did this start happening after you enabled the audit logs?

Sometimes, improper configuration of Windows Event Channel logs can cause the Wazuh agent to flood with events, which can lead to dropped logs due to the high volume. On the agent, please check the ossec.log file for any warnings or errors. You can find it at: C:\Program Files (x86)\ossec-agent\ossec.log

If you notice signs of flooding, try to fine-tune the event channel configuration so that only specific logs are collected, for example Event ID 33205, instead of collecting everything. This helps reduce unnecessary load.

After that, check the archives.log or archives.json file again and see if the events are appearing there. If they are, then the next step is to focus on rules.

For Windows Event Channel logs, Wazuh already has default decoders, so you don’t need to create custom decoders. However, if alerts are not showing on the dashboard, you may need to create custom rules with a level of 3 or higher.

From what you described, it looks like there might be an issue with your custom rules. One common problem is using <decoded_as>json</decoded_as>. Even though logtest may show JSON, the logs are actually decoded as windows_eventchannel. Also, if a parent rule is triggering with a level below 3, it won’t show up on the dashboard.

It would help if you could share your custom rules and a few sample logs from archives.log in text format. I can review them and help you adjust the rules correctly.

If the events are still not reaching the manager, please also share the agent C:\Program Files (x86)\ossec-agent\ossec.log and C:\Program Files (x86)\ossec-agent\ossec.conf files. And share the manager ossec.log file with us: /var/ossec/logs/ossec.log

Also, if you have a specific log that you want to trigger alerts for, share that as well. I can help you fine-tune both the agent configuration and the rules.

areeeba fatima

unread,
Apr 2, 2026, 6:11:43 AM (5 days ago) Apr 2
to Wazuh | Mailing List
Okay Thank you

areeeba fatima

unread,
Apr 2, 2026, 9:45:30 AM (4 days ago) Apr 2
to Wazuh | Mailing List

Thank you for the detailed guidance.

I will review the agent side logs and configuration as suggested, and fine tune the event channel settings. I’ll also check the archives logs and revisit the rules accordingly.

I will get back to you shortly and share the requested logs, configurations, and sample events for your review.

Thanks again for your support.

Best regards,
Areeba

Reply all
Reply to author
Forward
0 new messages