EventSentry can send event log records to any supported database server using ODBC. Connection strings are the recommended way to point the action to a database.
See Steps to Event Log Consolidation for information on how to consolidate event log records.
Use the Database Import Utility to import archived event log backup (.evt/.evtx) or log files into a database.
Applications can either use a connection string or a system DSN (data source name) to connect to a database. The former is easier to deploy since you don't have to create (and maintain) a DSN on every host.
To create the connection string, either refer to your:
•Database vendors documentation
•An online resource (e.g. http://www.connectionstrings.com)
•Use the built-in Connection String Helper by clicking on Create
The Connection String Helper will setup a connection string for supported databases automatically, you will only need to specify the required parameters. If your connection string needs additional information or does not work then please edit the generated string in the main ODBC dialog manually.
Checking this box will prevent the connection string details from being transmitted to the remote agents for additional security. This check-box should only be checked when a collector is configured, otherwise the remote agents will not be able to connect to the database.
If one or more remote hosts are running an EventSentry service other than the monitoring agent (e.g. Heartbeat Agent, Network Service), then the hosts running those services will need to be configured as a Trusted Host. Trusted hosts will receive the full connection string details, even when enhanced security is enabled. To configure a host as trusted, right-click the host item in the computer group, click "Edit" and check the "Trusted Host" check box.
Note: The password will appear in plain text in the connection string field of the main database dialog after you click OK.
After setting up a connection to your database server, click the Initialize or Update Database button to create the database and schema.
As an alternative to connection strings you can also use System DSN names to connect to a database. Enter the name of a System DSN, please see Best Practices for more information on DSN names. The DSN name specified here needs to exist on every host using this action (see also: Troubleshooting).
You cannot specify both a DSN and a connection string.
Username / Password
If your data source requires a login then specify username and password. For more information on username and passwords please also read Best Practices.
Clicking this button will bring up the Data Source Administrator, a built-in application that ships with Windows and allows you to configure System and User DSNs. Note that this button is only active when you are connected to the local machine.
Initialize or Update Database
Launches the Configuration Assistant, which either creates a new database or updates an existing database to the latest schema (according to schema.xml). Launching the configuration assistant is only necessary when creating a new EventSentry action, or when the configuration assistant failed to update one more more database during an upgrade.
Ignore Binary Data
Some events, usually from either the Application or System event log, have binary data associated with them. If you are not interested in consolidating binary data in the database, then you can check this check box.
Extended Error Logging
By default the EventSentry agent only logs connection-related database issues to the event log. By enabling extended error logging, most database errors are logged to the event log periodically.
Trim Windows Security Events
Many Windows security events contain non-essential descriptions after the event details. These descriptions are the same for all events of the same event id, and can use up considerable space in a database. Activating this option will automatically remove these descriptions from the event before they are logged to the database. The event descriptions remain in place for all other notification types, e.g. email. The screenshot below shows what type of information is removed from the event based on the Windows Security event 4688 which is logged when a new process is launched:
Always Append Binary Data - REGISTRY & ADVANCED USERS ONLY
In some cases, especially when handling large amounts of large, unique and non-repetitive binary data, the EventSentry agents can pose a significant stress on the database server when the size of the ESEventlogData table gets too big. All binary data is stored in this lookup table, and the agent attempts to reuse existing rows in this table if it is encountering duplicate binary data, as is generally the case.
If you expect large amounts of unique binary data, then you can avoid this problem by preventing the EventSentry agent from re-using binary entries and instead appending binary data to the ESEventlogData table. This will impose less work on the database server, since the ESEventlogData table does not have to be queried as often anymore (it still has to be queried once for every binary entry).
To activate this option:
•Clear the "Ignore Binary Data" check box if it is checked
•Close the management console
•Start regedit.exe and navigate to the registry for the action you would like to activate this for:
where MYDATABASE is the name of your database action. There, add a new DWORD value with the name of ODBC_AlwaysAppendBinaryData and set the value to 1.
Click here to view a Frequently Asked Questions entry for this action.