Parse MSSQL logs from event log

sref · March 10, 2020, 4:42pm

Hi,
Im trying to parse MSSQL logs from Windows event log, into Elastic stack.
Currently MSSQL logs to event viewer, and i use Winlogbeat 7,6 and Elastic stack 7,6 also. (installed under 1 month ago)
indent preformatted text by 4 spaces
Currently, all the MSSQL event logs goes into the message field, without getting parsed to seperate fields like it should.

Basically it seems like the same issue as Parsing additional data in a windows event log

I am unsucsessful in using gsub to replace the delimiter, and was hoping for some guidance on the parsing.

Configs:

01input.conf
    input {
      beats {
        port => 5044
            tags => [ "winlogbeat2" ]
      }
    }

20-parse-mssql.conf

filter {
  mutate {
gsub => [
  "message", "[\\n]", ","
]
  }
}

30-out-es.conf
    output {
      elasticsearch {
        hosts => ["http://localhost:9200"]
        index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      }
    }

system · April 7, 2020, 4:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing additional data in a windows event log Logstash	4	1621	July 9, 2018
Filebeat mssql Beats filebeat	4	238	October 12, 2021
Parsing winlogbeat message field Beats winlogbeat	3	1982	July 20, 2019
Windows Event Viewer Logs Parsing without Winlogbeat Logstash	2	848	September 9, 2020
MsSQL Log beat Beats	2	658	July 12, 2018

Parse MSSQL logs from event log

Related topics