MSSQL log collect and configure in wazuh

[ismailctest C]

Hi Team,

Using Wazuh 4.3.11, please let us know how to collect MSSQL logs & configuration of the mssql and wazuh manger sides.

If we need to add location in agent.conf , kindly share those details also. (We are planning to create a group in wazuh manager and add the agent.conf )

Kindly share the details for MS fileserver also.

 

Thanks

[Isaac Yusuf]

Hello ismailctest,

Wazuh has many capabilities, one of the most important ones is Log data collection. This allows Wazuh to collect logs from different sources and in different formats and ways.

Using this capability we could monitor the MS SQL Server logs. To achieve this, a Wazuh agent must be installed on the Server.

Once the Wazuh agent is installed we can apply the configuration locally or in a centralized way.

To apply the configuration locally we need to edit the ossec.conf configuration file. This file is located (in a default installation for Windows) in the following path:

`C:\Program Files (x86)\ossec-agent`

We can access the Wazuh agent configuration using the Windows agent management tool. This is found in the same installation directory (win32ui.exe file).

By clicking View → View config you can access the agent configuration and also update it.

Once you open the configuration, a localfile configuration block needs to be added to the file. Example:

<localfile> <location>C:\MSQL Server path\ERRORLOG</location> <log_format>syslog</log_format> <ignore_binaries>yes</ignore_binaries> </localfile>

The location field is used to indicate the path of the log file to be monitored, wildcards can be used to monitor several files in the same directory.

The log_format allows the specification of this information to Wazuh.

You can find more information about the options that can be used with this configuration and the accepted values, but you can use the sample configuration from above as a starting point.

The other way in which you can send this configuration to the Wazuh agent installed on the Server is through Centralized configuration. This is achieved through the creation of groups of agents and then specifying the configuration in the group. The Wazuh manager will then synchronize the group configuration with all the agents that belong to the group, thus giving you the ability to manage the configuration of several agents from the Wazuh manager (this can be done from the UI too).

To do this from the UI:

Go to Wazuh → Management → Groups

Once there, click on Add new group, enter the name for the group and click Save new group. Click the newly created group from the list (MSSQL in the example).

Click on Manage agents

Add the agents and click on Save changes.

To add the configuration to the group, on the Groups list, click on the pencil icon from the actions section of the group.

You can then add the configuration and save the changes. Once you do this, the configuration will be pushed to the agents in the group and the Wazuh agent service in those agents will be restarted to pick up the changes received.

I hope this helps with your concern.

Best regards,