{ "name": "microsoft_sqlserver", "title": "Microsoft SQL Server", "version": "2.11.0", "release": "ga", "description": "Collect events from Microsoft SQL Server with Elastic Agent", "type": "integration", "download": "/epr/microsoft_sqlserver/microsoft_sqlserver-2.11.0.zip", "path": "/package/microsoft_sqlserver/2.11.0", "icons": [ { "src": "/img/microsoft-sql-server-logo.svg", "path": "/package/microsoft_sqlserver/2.11.0/img/microsoft-sql-server-logo.svg", "title": "Microsoft SQL Server", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.13.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/obs-infraobs-integrations" }, "categories": [ "database_security", "security", "observability" ], "signature_path": "/epr/microsoft_sqlserver/microsoft_sqlserver-2.11.0.zip.sig", "format_version": "3.0.2", "readme": "/package/microsoft_sqlserver/2.11.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/sqlserver-dashboard.png", "path": "/package/microsoft_sqlserver/2.11.0/img/sqlserver-dashboard.png", "title": "Microsoft SQL Server Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/sqlserver-perf-dashboard.png", "path": "/package/microsoft_sqlserver/2.11.0/img/sqlserver-perf-dashboard.png", "title": "Microsoft SQL Server Performance Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/sqlserver-transaction-dashboard.png", "path": "/package/microsoft_sqlserver/2.11.0/img/sqlserver-transaction-dashboard.png", "title": "Microsoft SQL Server Transaction Log Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/sqlserver-errorlog-dashboard.png", "path": "/package/microsoft_sqlserver/2.11.0/img/sqlserver-errorlog-dashboard.png", "title": "Microsoft SQL Server Error Log Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/microsoft_sqlserver/2.11.0/LICENSE.txt", "/package/microsoft_sqlserver/2.11.0/changelog.yml", "/package/microsoft_sqlserver/2.11.0/manifest.yml", "/package/microsoft_sqlserver/2.11.0/docs/README.md", "/package/microsoft_sqlserver/2.11.0/img/microsoft-sql-server-logo.svg", "/package/microsoft_sqlserver/2.11.0/img/sqlserver-dashboard.png", "/package/microsoft_sqlserver/2.11.0/img/sqlserver-errorlog-dashboard.png", "/package/microsoft_sqlserver/2.11.0/img/sqlserver-perf-dashboard.png", "/package/microsoft_sqlserver/2.11.0/img/sqlserver-transaction-dashboard.png", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/manifest.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/manifest.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/sample_event.json", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/manifest.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/sample_event.json", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/manifest.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/sample_event.json", "/package/microsoft_sqlserver/2.11.0/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json", "/package/microsoft_sqlserver/2.11.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json", "/package/microsoft_sqlserver/2.11.0/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json", "/package/microsoft_sqlserver/2.11.0/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/fields/agent.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/fields/base-fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/fields/fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/fields/winlog.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/fields/agent.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/fields/base-fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/fields/fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/fields/agent.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/fields/base-fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/fields/ecs.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/fields/fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/fields/agent.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/fields/base-fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/fields/ecs.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/fields/fields.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/agent/stream/winlog.yml.hbs", "/package/microsoft_sqlserver/2.11.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/log/agent/stream/log.yml.hbs", "/package/microsoft_sqlserver/2.11.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/agent/stream/stream.yml.hbs", "/package/microsoft_sqlserver/2.11.0/data_stream/performance/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/agent/stream/stream.yml.hbs", "/package/microsoft_sqlserver/2.11.0/data_stream/transaction_log/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "audit_logs", "title": "Microsoft SQL Server logs and metrics", "description": "Collect logs and metrics from Microsoft SQL Server", "inputs": [ { "type": "winlog", "title": "Collect audit events from Windows event logs", "description": "Collecting audit events from Windows event logs" }, { "type": "logfile", "title": "Collect logs from Microsoft SQL Server instances", "description": "Collecting error logs from Microsoft SQL Server instances" }, { "type": "sql/metrics", "vars": [ { "name": "hosts", "type": "text", "title": "Host", "description": "Hostname (e.g. For `Default Instance`, use the format `host` or `host:port` and for `Named Instance` use the format `host/instanceName` or `host:NamedInstancePort`)", "multi": false, "required": true, "show_user": true, "default": [ "localhost" ] }, { "name": "password", "type": "password", "title": "Password", "description": "Use URL encoding for passwords with special characters", "multi": false, "required": true, "show_user": true, "default": "verysecurepassword" }, { "name": "username", "type": "text", "title": "Username", "description": "Domain users: Pre-encode username when passing backslash e.g. {domain}%5C{username} instead of {domain}\\\\{username}", "multi": false, "required": true, "show_user": true, "default": "domain\\username" } ], "title": "Collect Microsoft SQL Server performance and transaction_log metrics", "description": "Collecting performance and transaction_log metrics from Microsoft SQL Server instances" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_sqlserver.audit", "title": "SQL Server audit events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "Defaults to 33205. Change the default only if SQL Server uses another documented event ID for audits. Setting a value other than an SQL Server audit event ID will cause the package to malfunction. A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 33205), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs.", "multi": false, "required": false, "show_user": false, "default": 33205 }, { "name": "channel", "type": "text", "title": "Channel", "description": "Channel name where audit events are configured to be sent.", "multi": false, "required": true, "show_user": true, "default": "Security" }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "SQL Server audit events from Windows event logs", "description": "Collect SQL Server audit events from the Windows event logs", "enabled": true, "ingestion_method": "API" } ], "package": "microsoft_sqlserver", "path": "audit" }, { "type": "logs", "dataset": "microsoft_sqlserver.log", "title": "Microsoft SQL Server error logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true, "default": [ "/var/opt/mssql/log/error*" ] }, { "name": "encoding", "type": "text", "title": "Encoding", "description": "The file encoding to use for reading data that contains international characters. Valid encoding names are listed [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#_encoding_3).", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "mssql-logs" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Microsoft SQL Server error logs", "description": "Collect Microsoft SQL Server error logs", "enabled": true, "ingestion_method": "File" } ], "package": "microsoft_sqlserver", "path": "log" }, { "type": "metrics", "dataset": "microsoft_sqlserver.performance", "title": "Microsoft SQL Server performance metrics", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "sql/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "60s" }, { "name": "dynamic_counter_name", "type": "text", "title": "Dynamic Counter Name", "description": "Collect the values for dynamic counters based on the provided pattern from the performance table.", "multi": false, "required": false, "show_user": true, "default": "Memory Grants Pend%" }, { "name": "preserve_sql_queries", "type": "bool", "title": "Preserve SQL Queries", "description": "Preserves SQL queries for debugging purposes. This feature is available in Elastic stack version 8.18 and later.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "Microsoft SQL Server performance metrics", "description": "Collect Microsoft SQL Server performance metrics", "enabled": true, "ingestion_method": "Database" } ], "package": "microsoft_sqlserver", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "performance" }, { "type": "metrics", "dataset": "microsoft_sqlserver.transaction_log", "title": "Microsoft SQL Server transaction_log metrics", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "sql/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "60s" }, { "name": "databases", "type": "text", "title": "Databases", "description": "Fetch the transaction_logs metrics from the provided databases. Both, user-defined and system database names can be provided as input, with the system databases already being included by default.", "multi": true, "required": true, "show_user": true, "default": [ "master", "model", "tempdb", "msdb" ] }, { "name": "fetch_from_all_databases", "type": "bool", "title": "Fetch from all databases", "description": "Option to enable fetching transaction_logs metrics from all databases, including both system and user-defined databases. This option overrides any database names provided in the 'Databases' field and instead considers all databases.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_sql_queries", "type": "bool", "title": "Preserve SQL Queries", "description": "Preserves SQL queries for debugging purposes.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "Microsoft SQL Server transaction_log metrics", "description": "Collect Microsoft SQL Server transaction_log metrics", "enabled": true, "ingestion_method": "Database" } ], "package": "microsoft_sqlserver", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "transaction_log" } ] }