MS SQL logging and parsing

Unanswered Question
Jul 22nd, 2008

Hello. Maybe I am missing something, but is there a way to collect and parse logs (specifically security auditing - logins, etc...) from MS SQL server in MARS? I see that there 'may' be a snare agent for MS SQL, but I don't know if MARS would recognize the events without a custom parser. Any ideas?

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
mhellman Tue, 07/22/2008 - 13:25

You can collect them, but I don't believe they will be parsed correctly. They [the logins at least] are logged to the application event log. The last time I tested MARS, you COULD NOT configure a reporting device as a Windows host AND custom parse messages. Having them is a good first step I guess. It would be really nice to be able to extend MAR's parsing with custom parsing though. I *think* the next major version of MARS is supposed to fix this somehow.

jeff_groesbeck Tue, 07/22/2008 - 16:14

Thank you for your response. I didn't even think about the fact that I probably can't just 'add' to the host (Windows 2003 server) 'and' create a custom parser for the SQL entries. I am sure that this is still the case. I really hope that this is improved in 6.x.

Thank you again.

jeff_groesbeck Wed, 07/23/2008 - 05:56

OK. I just got in this morning and build a 'test' custom parser. I appears that if I make this a software application, I can apply it to my previously defined Windows server and tell it that it will be receiving the information to be parsed via syslog. Does anyone have any experience doing this for SQL Server?

Thanks again.

mhellman Wed, 07/23/2008 - 07:27

while you can do that, I don't think it will work. At least it didn't work when I tried. As I recall, the problem is that the windows parser has a "catch-all" parser that maps to "generic windows event". This parser is applied before your custom parser.

jeff_groesbeck Wed, 07/23/2008 - 07:33

OK. Thanks. That makes sense. I haven't been able to test this yet, so I appreciate you mentioning this.


mhellman Wed, 07/23/2008 - 07:52

I would still test it. It's been quite a few versions since I did. Let us know how it goes.

jeff_groesbeck Fri, 07/25/2008 - 08:11

OK. I've been trying everything to see if I can get something to work here, but to no avail. It definitely reports it as a 'general windows application log' entry instead of running it through the custom parser. Every attempt to get any assistance through TAC (wondering about the order the devices were processed) yielded 'It is not supported'. Anyway, thank you very much for your input on this and unfortunately, I was not successful.

mhellman Fri, 07/25/2008 - 08:27

thanks for following up. Let's keep our fingers crossed that this is addressed in 6.x.


This Discussion