Microsoft SQL Server Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft SQL Server is a relational database management system (RDBMS) developed by Microsoft. It is used to store, manage, and retrieve data for applications, websites, and enterprise systems. This technology pack processes SQL Server log output, providing parsing, normalization, and enrichment of data.

Supported Versions

  • Microsoft SQL Server 2017 or later

Requirements

  • Graylog Server with a valid Enterprise license, running Graylog version 7.0 or later

Stream Configuration

This technology pack includes 1 stream:

  • Illuminate:Microsoft SQL Server Messages

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • Microsoft SQL Server Event Messages

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Enable SQL Server auditing on the target instance (server-level audit + server/database audit specifications) so that events are written to the Windows Application event log. Forward that application log to Graylog using either NXLog (im_msvistalog input to om_tcp or om_udp output to a GELF or Beats input) or Winlogbeat (event_logs: name "Application", shipped via the Beats input). Messages arrive with event_code 33205 (MSSQL audit) and are identified by SourceName=MSSQLSERVER (NXLog) or winlogbeat_event_provider=MSSQLSERVER (Winlogbeat).

Log Format Example

Audit event: audit_schema_version:1 event_time:2025-12-20 06:57:56.5583559 sequence_number:1 action_id:LGIS succeeded:true is_column_permission:false session_id:74 server_principal_id:278 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX duration_milliseconds:0 response_rows:0 affected_rows:0 client_tls_version:771 database_transaction_id:0 ledger_start_sequence_number:0 is_local_secondary_replica:false client_ip:local machine permission_bitmask:00000000000000000000000000000000 sequence_group_id:42E30E6A-78BD-4E21-AAC3-2FAF685B1753 session_server_principal_name:Testuser server_principal_name:Testuser server_principal_sid:b2610e1b7b82cf4a995de88f5f2ee716 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:WIN-MOETVK6G9VU database_name: schema_name: object_name: statement:-- network protocol: LPC set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>local machine</address><is_dac>0</is_dac></action_info> user_defined_information: application_name:Framework Microsoft SqlClient Data Provider connection_id:03ACF660-09CF-4F4C-B57A-8E57672FE3E7 data_sensitivity_information: host_name:WIN-MOETVK6G9VU session_context: client_tls_version_name:1.2 external_policy_permissions_checked: obo_middle_tier_app_id: .

What is Provided

  • Rules to parse, normalize, and enrich Microsoft SQL Server content pack messages

GIM Categorization

GIM categorization is provided for the following messages:

Event Type gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
LOGIN SUCCEEDED (LGIS) / CONNECT (CO) / AUTHENTICATE (AUTH) / DATABASE AUTHENTICATION SUCCEEDED (DBAS) 100000 authentication authentication.logon logon
IMPERSONATE (IMP) 100003 authentication authentication.logon logon with alternate credentials
LOGIN FAILED (LGIF) / DATABASE AUTHENTICATION FAILED (DBAF) 100500 authentication authentication.credential validation credential validation
LOGOUT (LGO) / DATABASE LOGOUT (DBL) 102500 authentication authentication.logoff logoff
ALTER (AL) / TAKE OWNERSHIP (TO) 111000 iam iam.object modify account modified
GRANT (G) 111001 iam iam.object modify privileges assigned
REVOKE (R) / DENY (D) 111002 iam iam.object modify privileges removed
CHANGE OWN PASSWORD (PWCS) / CHANGE PASSWORD (PWC) / MUST CHANGE PASSWORD (PWMC) / CHANGE LOGIN CREDENTIAL (CCLG) 111004 iam iam.object modify password change
RESET PASSWORD (PWR) 111005 iam iam.object modify administrative password reset
ADD MEMBER to role (APRL) 111007 iam iam.object modify group member added
DROP MEMBER from role (DPRL) 111008 iam iam.object modify group member removed
LOGIN DISABLED (LGDA) 111501 iam iam.object disable account disabled
UNLOCK ACCOUNT (PWU) 112000 iam iam.object enable account unlocked
LOGIN ENABLED (LGEA) 112001 iam iam.object enable account enabled
PASSWORD POLICY / EXPIRATION (PWPL / PWEX) 119999 iam iam.default iam message
SELECT (SL) / EXECUTE (EX) / RECEIVE (RC) / SEND (SN) 150000 database database.query database query
UPDATE (UP) 150500 database database.update update rows
INSERT (IN) 151000 database database.add insert rows
DELETE (DL) 151500 database database.delete delete rows
BACKUP (BA) / BACKUP LOG (BAL) / RESTORE (RS) 159999 database database.default database message
SERVER STARTED (SVSR) / SERVER CONTINUE (SVCN) 210000 service service.start service started
SERVER SHUTDOWN (SVSD) / SERVER PAUSED (SVPD) 210100 service service.stop service stopped
AUDIT SHUTDOWN ON FAILURE (AUSF) 220000 audit audit.integrity audit log cleared
TRACE AUDIT START/STOP (TASA / TASP) / AUDIT SESSION CHANGED (AUSC) / AUDIT CHANGE (CNAU) / AUDIT POLICY 220500 audit audit.policy audit policy changed
DBCC / OTHER SERVER AUDIT EVENTS 229999 audit audit.default audit event