Splunk App for Logbinder doesn't get any log


Splunk App for Logbinder doesn't get any log

l

I’m interested in using LogBinder for an instance of SQLServer to push events to Splunk. By today I managed to get LogBinder working with my Database, and send syslog to Splunk succesfully.

I had installed Logbinder App for splunk, yet I can’t see any event in Splunk. I followed the steps in the guide and configured the input this way
https://forum.logbinder.com/Uploads/Images/a75daa96-88e5-4894-903b-4f32.png
inputs.conf in opt/splunk/etc/apps/logbinder/local  looks like this
https://forum.logbinder.com/Uploads/Images/e3017e8b-6fa9-4139-8fa1-146d.PNG

I’m still not able to see any events.


However I'm able to see logs in Splunk's Search App



Is there something I'm missing, and any workaround for this?

Thank you!



i

lrgt - 11/23/2018
I’m interested in using LogBinder for an instance of SQLServer to push events to Splunk. By today I managed to get LogBinder working with my Database, and send syslog to Splunk succesfully.

I had installed Logbinder App for splunk, yet I can’t see any event in Splunk. I followed the steps in the guide and configured the input this way
https://forum.logbinder.com/Uploads/Images/a75daa96-88e5-4894-903b-4f32.png
inputs.conf in opt/splunk/etc/apps/logbinder/local  looks like this
https://forum.logbinder.com/Uploads/Images/e3017e8b-6fa9-4139-8fa1-146d.PNG

I’m still not able to see any events.


However I'm able to see logs in Splunk's Search App



Is there something I'm missing, and any workaround for this?

Thank you!



Thank you for the screenshots, based on that we can see that the eventid was correctly extracted.

Please run these searches:

1)  to see if the logbinder_index macro is correct, the latest version of the app is expecting the data to be in main index. :

 `logbinder_index`

2) if that is working then to check if the eventtype is correctly set:

`logbinder_sql`


If also this second search is working then this dashboard should have been populated: "SQL Login Activity Report"




l

imrago - 11/23/2018
lrgt - 11/23/2018
I’m interested in using LogBinder for an instance of SQLServer to push events to Splunk. By today I managed to get LogBinder working with my Database, and send syslog to Splunk succesfully.

I had installed Logbinder App for splunk, yet I can’t see any event in Splunk. I followed the steps in the guide and configured the input this way
https://forum.logbinder.com/Uploads/Images/a75daa96-88e5-4894-903b-4f32.png
inputs.conf in opt/splunk/etc/apps/logbinder/local  looks like this
https://forum.logbinder.com/Uploads/Images/e3017e8b-6fa9-4139-8fa1-146d.PNG

I’m still not able to see any events.


However I'm able to see logs in Splunk's Search App



Is there something I'm missing, and any workaround for this?

Thank you!



Thank you for the screenshots, based on that we can see that the eventid was correctly extracted.

Please run these searches:

1)  to see if the logbinder_index macro is correct, the latest version of the app is expecting the data to be in main index. :

 `logbinder_index`

2) if that is working then to check if the eventtype is correctly set:

`logbinder_sql`


If also this second search is working then this dashboard should have been populated: "SQL Login Activity Report"




Hello imrago! thank you for your reply!

As you recommended I changed the index to "main", then updated splunk (i had installed 7.1.1 so upgraded to 7.2.1) and changed the search to:

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL" targetobjectname=dba

I got results in logbinder app search



I also changed event type logbinder_sql to match this search so it could be used for SQL Activity Report Dashboard (not sure if that is how it works)

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL"



I'm specificly checking "SQL Login Activity Report", an managed to get it to work! 



SQL Overview also works fine, Thank you very much for your help!


Just one more question, I noted datetime fields are on UTC format, which would be the best way to display it according to my timezone?
i

lrgt - 11/23/2018
imrago - 11/23/2018
lrgt - 11/23/2018
I’m interested in using LogBinder for an instance of SQLServer to push events to Splunk. By today I managed to get LogBinder working with my Database, and send syslog to Splunk succesfully.

I had installed Logbinder App for splunk, yet I can’t see any event in Splunk. I followed the steps in the guide and configured the input this way
https://forum.logbinder.com/Uploads/Images/a75daa96-88e5-4894-903b-4f32.png
inputs.conf in opt/splunk/etc/apps/logbinder/local  looks like this
https://forum.logbinder.com/Uploads/Images/e3017e8b-6fa9-4139-8fa1-146d.PNG

I’m still not able to see any events.


However I'm able to see logs in Splunk's Search App



Is there something I'm missing, and any workaround for this?

Thank you!



Thank you for the screenshots, based on that we can see that the eventid was correctly extracted.

Please run these searches:

1)  to see if the logbinder_index macro is correct, the latest version of the app is expecting the data to be in main index. :

 `logbinder_index`

2) if that is working then to check if the eventtype is correctly set:

`logbinder_sql`


If also this second search is working then this dashboard should have been populated: "SQL Login Activity Report"




Hello imrago! thank you for your reply!

As you recommended I changed the index to "main", then updated splunk (i had installed 7.1.1 so upgraded to 7.2.1) and changed the search to:

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL" targetobjectname=dba

I got results in logbinder app search



I also changed event type logbinder_sql to match this search so it could be used for SQL Activity Report Dashboard (not sure if that is how it works)

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL"



I'm specificly checking "SQL Login Activity Report", an managed to get it to work! 



SQL Overview also works fine, Thank you very much for your help!


Just one more question, I noted datetime fields are on UTC format, which would be the best way to display it according to my timezone?

If you would like to do so you can continue to use the logbinder index or any other, you only need to change the `logbinder_index` macro. It can be done by creating %SPLUNK_HOME%/etc/apps/logbinder/local/macros.conf, and adding this to it

[logbinder_index]
definition = index=logbinder

and restarting splunk.


>Just one more question, I noted datetime fields are on UTC format, which would be the best way to display it according to my timezone?

This can be done by changing the timezone on the server, or changing the timezone of the splunk user with which you are logged in.

Settings->Access Controls->Users

then select the user and change the "Time zone" drop down from system default to your timezone. With this the charts for example will use your local time.





l

imrago - 11/24/2018
lrgt - 11/23/2018
imrago - 11/23/2018
lrgt - 11/23/2018
I’m interested in using LogBinder for an instance of SQLServer to push events to Splunk. By today I managed to get LogBinder working with my Database, and send syslog to Splunk succesfully.

I had installed Logbinder App for splunk, yet I can’t see any event in Splunk. I followed the steps in the guide and configured the input this way
https://forum.logbinder.com/Uploads/Images/a75daa96-88e5-4894-903b-4f32.png
inputs.conf in opt/splunk/etc/apps/logbinder/local  looks like this
https://forum.logbinder.com/Uploads/Images/e3017e8b-6fa9-4139-8fa1-146d.PNG

I’m still not able to see any events.


However I'm able to see logs in Splunk's Search App



Is there something I'm missing, and any workaround for this?

Thank you!



Thank you for the screenshots, based on that we can see that the eventid was correctly extracted.

Please run these searches:

1)  to see if the logbinder_index macro is correct, the latest version of the app is expecting the data to be in main index. :

 `logbinder_index`

2) if that is working then to check if the eventtype is correctly set:

`logbinder_sql`


If also this second search is working then this dashboard should have been populated: "SQL Login Activity Report"




Hello imrago! thank you for your reply!

As you recommended I changed the index to "main", then updated splunk (i had installed 7.1.1 so upgraded to 7.2.1) and changed the search to:

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL" targetobjectname=dba

I got results in logbinder app search



I also changed event type logbinder_sql to match this search so it could be used for SQL Activity Report Dashboard (not sure if that is how it works)

source="udp:514" index="main" sourcetype="logbinder:syslog" product="LOGbinder SQL"



I'm specificly checking "SQL Login Activity Report", an managed to get it to work! 



SQL Overview also works fine, Thank you very much for your help!


Just one more question, I noted datetime fields are on UTC format, which would be the best way to display it according to my timezone?

If you would like to do so you can continue to use the logbinder index or any other, you only need to change the `logbinder_index` macro. It can be done by creating %SPLUNK_HOME%/etc/apps/logbinder/local/macros.conf, and adding this to it

[logbinder_index]
definition = index=logbinder

and restarting splunk.


>Just one more question, I noted datetime fields are on UTC format, which would be the best way to display it according to my timezone?

This can be done by changing the timezone on the server, or changing the timezone of the splunk user with which you are logged in.

Settings->Access Controls->Users

then select the user and change the "Time zone" drop down from system default to your timezone. With this the charts for example will use your local time. I checked Syslog_2018_11_28.txt in LogBinder Folder and logs looks like this:

Nov 28 22:42:00 172.16.37.201 24003 LOGbinder SQL|4.0|failure|2018-11-28T22:42:00.0000000|Login failed|name="message" value="A principal's attempt to log on to SQL server failed"|name="actiongroup" value="FAILED_LOGIN_GROUP"|name="occurred" label="Occurred" value="28/11/2018 10:42:00.0000000 p. m. UTC"|name="server" label="Server" value="SERVER\\SQLEXPRESS"|name="targetobjectname" label="Target Object Name" value="dba"|name="targetobjecttype" label="Target Object Type" value="Login"|name="statement" label="Statement" value="Login failed for user 'dba'. Reason: Password did not match that for the login provided. [CLIENT: <local machine>]"|name="additionalinformation" label="Additional Information" value="<action_info xmlns\=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>0</pooled_connection><error>0x00004818</error><state>8</state><address>local machine</address></action_info>"|name="support" value="For more information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=24003"

Local time for this alert is actually Nov 28 16:42:00. In splunk I still don't get this datetime. Is it something I should resolve in splunk or in LogBinder?





Hello imrago, I changed the Timezone as you recommended, but logs still shows in the same way. Both Servers (Splunk and the one with the databese and LogBinder) have same hour. but   
GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search