Microsoft SQL Server log source configuration options
Microsoft SQL Server Error Logs
The error log is a standard text file that contains Microsoft SQL Server information and error messages. WinCollect monitors the error log for new events and forwards the event to IBM® Security QRadar®. The error log provides meaningful information to assist you in troubleshooting issues or alerting you to potential or existing problems. The error log output includes the time and date the message was logged, the source of the message, and the description of the message. If an error occurs, the log contains the error message number and a description. Microsoft SQL Servers retain backups of the last six error log files.
WinCollect can collect Microsoft SQL server error log events. To collect Microsoft SQL Server audit and authentication events, you configure the Microsoft SQL Server DSM. For more information, see the IBM Security QRadar DSM Configuration Guide.
WinCollect agents support local collection and remote polling for Microsoft SQL Server installations. To remotely poll for Microsoft SQL Server events, you must provide administrator credentials or domain administrator credentials. If your network policy restricts the use of administrator credentials, you can install a WinCollect agent on the same host as your Microsoft SQL Server. Local installations of WinCollect do not require special credentials to forward events to QRadar.
The Microsoft SQL Server event logs that are monitored by WinCollect are defined by the directory path that you specify in your WinCollect SQL log source. The following table lists the default directory paths for the Root Log Directory field in your log source.
| Microsoft SQL version | Collection type | Root log directory |
|---|---|---|
| 2012 | Local | C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG |
| 2012 | Remote | \\SQL IP address\c$\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG |
| 2014 | Local | C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\LOG |
| 2014 | Remote | \\SQL IP address\c$\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\LOG |
| 2016 | Local | C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\LOG |
| 2016 | Remote | \\SQL IP address\c$\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\LOG |
| 2017 | Local | C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL14.MSSQLSERVER\MSSQL\LOG |
| 2017 | Remote | \\HOSTNAME\C$\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL14.MSSQLSERVER\MSSQL\LOG |
| 2019 | Local | C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL15.MSSQLSERVER\MSSQL\LOG |
| 2019 | Remote | \\HOSTNAME\C$\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL15.MSSQLSERVER\MSSQL\LOG |
Log files that do not match the SQL event log format are not parsed or forwarded to QRadar.
Supported versions of Microsoft SQL Server
The WinCollect plug-in for Microsoft SQL server supports the following Microsoft SQL software versions:
- Microsoft SQL Server 2012
- Microsoft SQL Server 2014
- Microsoft SQL Server 2016
- Microsoft SQL Server 2017
- Microsoft SQL Server 2019
The following table describes the Microsoft SQL server protocol parameters.
| Parameter | Description |
|---|---|
| Log Source Type | Microsoft SQL |
| Protocol Configuration | WinCollect Microsoft SQL |
| Root Directory |
Microsoft SQL 2012
Microsoft SQL 2014
Microsoft SQL 2016
Microsoft SQL 2017
Microsoft SQL 2019
|
| File Monitor Policy | The Notification-based (local) option uses the Windows file system notifications to detect changes to your event log. The Polling-based (remote) option monitors changes to remote files and directories. The agent polls the remote event log and compares the file to the last polling interval. If the event log contains new events, the event log is retrieved. |