Retrieving ERRORLOG for MSSQL Server

[Daniel D'Angeli]

Hi,

i was wondering if there was a way to retrieve correctly the ERRORLOG used by the MSSQL Server to monitor logins in the DB.

I found this discussion leading me to think there is not but it's relatively old.

Regards,

Daniel

[Cesar Moreno]

Hello Daniel,

Hope you are very well. Thank you for posting on the Wazuh mailing list.

You are right. Unfortunately, the problem with the ERRORLOG is a known issue with the agent on windows in which is unable to read some files with UCS-2 LE BOM encoding method:

https://github.com/wazuh/wazuh/issues/6283

Our Dev team will continue working on this to find a solution.

As an alternative, I'll advise you to use the EventChannel to log messages from SQL. SQL Server logs all in the Windows Event Channel, and in the ERRORLOG file, if you can not use the log file you can try configuring rules for the Windows Event Channel logs.
In SQL Server you can configure what to log and where, follow this article if you want to configure this and in this other one, you can find how to send the SQL Server Audit log to the Security log.

Then in the manager, you'll need to add a decoder to parse those logs (probably it's already decoded as EventChannel), you can use the event IDs in the log to create some rules and alerts depending on the events. To achieve this, you can follow the below documentation:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this helps. Please let me know if you have any other questions.

Kind regards,
Cesar Moreno.

[Claudio Skarecki]

Hi Daniel,

I have same problem, how are you solve this, please help

Kind regards

Claudio

[Daniel D'Angeli]

Hi,

i fixed by changing what i was looking for. Instead of looking for the ERRORLOG i went to enable auditing using the SQL Server Management Studio.

You can find the tutorial here: https://blog.netwrix.com/2019/05/23/how-to-enable-sql-server-audit-and-review-the-audit-log/

Regards,

Daniel D.