This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-11-09 05:29 PM

Undefined MSSQL messages messages on 2008 servers

We're running enVision 4.0 SP4 Patch 3.   For Windows collection, we are on content 2.0.  The most recent Windows ESU we have installed is from April 2011.

 

We collect MSSQL server logs from both Windows 2003 and Windows 2008 servers.  The MSSQL logs collected from the Windows 2008 servers are all undefined and don't parse. 

 

The message header is %NICWIN-4-Application_18453_MSSQLSERVER

 

I mean, like, half of the messages coming from these servers are Windows Application logs, but they're undefined.  For one server, in the last hour it generated 130,000 messages, and 65,000 of them are undefined, and have the header above in them.

 

  • Does anyone know if by now, November 2011, these Windows 2008 MSSQL server messages are defined and parse?
0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2011-11-10 08:12 AM

MSSQL events parse against the MSSQL device type. If you are collecting windows security events as well as MSSQL application events from the same server then the IP of the server must be configured as a Multi-device. Based on your comments it looks like you only have a Windows (NIC) device discovered. Next step would be to manually add a MSSQL device type for that same IP and mark both of them as multi-device. The messages will then be parsed by their respective device types.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.