Log events not being recognized as separate events in Microsoft SQL Server Integration

Elastic Stack Elastic Agent
,
1

I am using the Microsoft SQL Server Integration, v1.4.0 with a fleet-managed policy running on Elastic Agent 8.4.2. I am noticing two things. First, even with "Preserve original event" set to false, the SQL Server error logs appear to be preserving the original events.

Second, when I examine the original events, it appears that in many cases, multiple log events are being concatenated into a single log entry. Here is the event.original for one event:

2022-10-03 11:22:10.99 Logon       Error: 18456, Severity: 14, State: 5.

2022-10-03 11:22:10.99 Logon       Login failed for user 'user_01'. Reason: Could not find a login matching the name provided. [CLIENT: 10.1.2.3]

Here is the event.original field from another event:

2022-10-03 11:22:00.43 Logon       Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]

2022-10-03 11:22:00.44 Logon       Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]

2022-10-03 11:22:00.77 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.31 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.34 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.35 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.37 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.39 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.41 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.42 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.44 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.46 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.47 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.49 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.50 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.53 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.53 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.55 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.55 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.56 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.1.2.4]

2022-10-03 11:22:01.85 Logon       Login succeeded for user 'DOMAIN\user_02'. Connection made using Integrated authentication. [CLIENT: <local machine>]

2022-10-03 11:22:03.57 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.121.193.59]

2022-10-03 11:22:03.65 Logon       Login succeeded for user 'DOMAIN\user_03'. Connection made using Integrated authentication. [CLIENT: 10.121.193.59]

Edit

  1. It looks as if the Elasticsearch pipeline for this doesn't honor the "preserve event.original" setting at this time, it just automagically preserves it.
  2. I suspect that the issue above may be a bug associated with Windows CRLF line endings; IIRC, I experienced this same issue with a filebeat module, although I can't remember which one.
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.