MSSQL trc log (trace data file)
62 views
Skip to first unread message
Mark Rafa
Apr 20, 2021, 5:03:24 AM4/20/21
to Wazuh mailing list
Hello,
I want to collect mssql logs for specific users.
The logs are in trc format.
Is wazuh capable to collect such type logs?
If it is, how?
I couldnt find any resource for this?
Regards,
Juan Ricci
Apr 20, 2021, 9:13:52 AM4/20/21
to Wazuh mailing list
Hello,
Thank you for contacting us here.
Depending on your Wazuh Manager version, you can use /var/ossec/bin/ossec-logtest or /var/ossec/bin/wazuh-logtest for testing the logs you need the Manager to ingest. You can execute wazuh-logtest or ossec-logtest from the terminal and paste there a log in TRC format. The tool will return the decoder and the rule that was matched if there is any. This is the easiest way to check if a specific log format is currently covered.
The built-in MSSQL decoder and rules (located in /var/ossec/ruleset/decoders/0395-sqlserver_decoders.xml and /var/ossec/ruleset/rules/0440-ms_sqlserver_rules.xml respectively) work with "regular" MSSQL logs (you can find some example logs on comments of both files), so it is unlikely that trace logs are supported by now.
That being said, for allowing the Manager to process TRC logs you can:
- Configure the log data collection for getting logs from local TRC files. Please refer the following documentation link for instructions: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
- Create custom decoders and rules for allowing the Manager to process TRC logs and generate alerts. You can take a look at the following link for more information: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Create an issue on Wazuh repository for adding decoders and rules for TRC logs. Any kind of information you can provide is useful (TRC example logs, custom decoders and rules, official documentation with information about TRC log syntax, etc). Access the following link for creating the issue: https://github.com/wazuh/wazuh/issues.
I hope this information helps out. Do not hesitate to contact me back if you need further help.
Best regards.
Juan
Reply all
Reply to author
Forward
0 new messages