Parse MSSQL logs from event log

sref · March 10, 2020, 4:42pm

Hi,
Im trying to parse MSSQL logs from Windows event log, into Elastic stack.
Currently MSSQL logs to event viewer, and i use Winlogbeat 7,6 and Elastic stack 7,6 also. (installed under 1 month ago)
indent preformatted text by 4 spaces
Currently, all the MSSQL event logs goes into the message field, without getting parsed to seperate fields like it should.

Basically it seems like the same issue as Parsing additional data in a windows event log

I am unsucsessful in using gsub to replace the delimiter, and was hoping for some guidance on the parsing.

Configs:

01input.conf
    input {
      beats {
        port => 5044
            tags => [ "winlogbeat2" ]
      }
    }

20-parse-mssql.conf

filter {
  mutate {
gsub => [
  "message", "[\\n]", ","
]
  }
}

30-out-es.conf
    output {
      elasticsearch {
        hosts => ["http://localhost:9200"]
        index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      }
    }

system · April 7, 2020, 4:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing additional data in a windows event log Logstash	4	1619	July 9, 2018
Windows Event Viewer Logs Parsing without Winlogbeat Logstash	2	845	September 9, 2020
How can I parse Windows Logs? Elasticsearch	7	6502	June 2, 2018
Parsing Windows Event Logs in syslog format Logstash	1	47	July 31, 2024
Extracting fields from existing message field in windows logs Logstash	4	502	January 11, 2022

Parse MSSQL logs from event log

Related Topics