-
Notifications
You must be signed in to change notification settings - Fork 31
/
azureSQLJDBC.conf
63 lines (54 loc) · 2.84 KB
/
azureSQLJDBC.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#/*
#Copyright 2020-2022 IBM Inc. - All Rights Reserved.
#SPDX-License-Identifier: Apache-2.0
#*/
input {
jdbc {
jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
jdbc_connection_string => "<JDBC-Connection-String>"
jdbc_user => "<user-name>@<server_instance_name>"
jdbc_password => "<Password>"
schedule => "*/1 * * * *"
clean_run => false
statement => "SELECT event_time,succeeded,session_id,database_name,client_ip,server_principal_name,application_name,statement,server_instance_name,host_name,DATEDIFF_BIG(ns, '1970-01-01 00:00:00.00000', event_time) AS updatedeventtime,additional_information FROM sys.fn_get_audit_file('https://<storage-account-name>.blob.core.windows.net/sqldbauditlogs/<server_instance_name>/<DB-NAME>', DEFAULT, DEFAULT) where action_id='BCM' and statement not like '%xproc%' and statement not like '%SPID%' and statement not like '%DEADLOCK_PRIORITY%' and application_name not like '%Microsoft SQL Server Management Studio - Transact-SQL IntelliSense%' and DATEDIFF_BIG(ns, '1970-01-01 00:00:00.00000', event_time) > :sql_last_value"
use_column_value => true
tracking_column => "updatedeventtime"
tracking_column_type => "numeric"
#This location stores the offset till which records are processed
last_run_metadata_path => "./.azureSQL_logstash_jdbc_last_run"
type => "azureSQL"
#Insert the enrollment id of the Azure account
add_field => {"enrollmentId" => "<enrollmentId>"}
}
}
filter {
if [type] == "azureSQL" {
if [additional_information] {
mutate {
add_field => { "[ADDITIONAL_INFORMATION]" => "%{additional_information}"}
}
}
if[database_name] {
mutate {
add_field => { "[DATABASE_NAME]" => "%{enrollmentId}:%{server_instance_name}:%{database_name}"}
}
}
mutate {
add_field => {
"[TIMESTAMP]" => "%{updatedeventtime}"
"[CLIENT_HOST_NAME]" => "%{host_name}"
"[STATEMENT]" => "%{statement}"
"[Client_IP]" => "%{client_ip}"
"[SERVER_INSTANCE_NAME]" => "%{server_instance_name}"
"[SUCCEEDED]" => "%{succeeded}"
"[User_Name]" => "%{server_principal_name}"
"[APPLICATION_NAME]" => "%{application_name}"
"[Session_ID]" => "%{session_id}"
"[Server_Hostname]" => "%{enrollmentId}_%{server_instance_name}"
}
}
mutate { gsub => [ "STATEMENT", "[\n]", "" ] }
azuresql_guardium_plugin_filter{}
mutate { remove_field => ["@version","type","@timestamp","additional_information","session_id","updatedeventtime","client_ip","User_Name","server_principal_name","statement","host_name","server_instance_name","succeeded","database_name","application_name","TIMESTAMP","CLIENT_HOST_NAME","STATEMENT","Client_IP","SERVER_INSTANCE_NAME","SUCCEEDED","User_Name","APPLICATION_NAME","Session_ID","Server_Hostname","enrollmentId"] }
}
}