I am using the Microsoft SQL Server Integration, v1.4.0 with a fleet-managed policy running on Elastic Agent 8.4.2. I am noticing two things. First, even with "Preserve original event" set to false, the SQL Server error logs appear to be preserving the original events.
Second, when I examine the original events, it appears that in many cases, multiple log events are being concatenated into a single log entry. Here is the event.original for one event:
2022-10-03 11:22:10.99 Logon Error: 18456, Severity: 14, State: 5.
2022-10-03 11:22:10.99 Logon Login failed for user 'user_01'. Reason: Could not find a login matching the name provided. [CLIENT: 10.1.2.3]
Here is the event.original field from another event:
2022-10-03 11:22:00.43 Logon Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2022-10-03 11:22:00.44 Logon Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2022-10-03 11:22:00.77 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.31 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.34 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.35 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.37 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.39 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.41 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.42 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.44 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.46 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.47 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.49 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.50 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.53 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.53 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.55 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.55 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.56 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]
2022-10-03 11:22:01.85 Logon Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]
2022-10-03 11:22:03.57 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.121.193.59]
2022-10-03 11:22:03.65 Logon Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.121.193.59]
Edit
- It looks as if the Elasticsearch pipeline for this doesn't honor the "preserve
event.original" setting at this time, it just automagically preserves it. - I suspect that the issue above may be a bug associated with Windows CRLF line endings; IIRC, I experienced this same issue with a filebeat module, although I can't remember which one.