Please enable JavaScript to view this site.

Navigation: Working with EventSentry > Actions

Database

Scroll Prev Top Next More

EventSentry can send event log records to any supported database server using ODBC. Connection strings are the recommended way to point the action to a database.

 

info_48

See Steps to Event Log Consolidation for information on how to consolidate event log records.

 

Use the Database Import Utility to import archived event log backup (.evt/.evtx) or log files into a database.

 

clip0064

 

Connection Strings

Applications can either use a connection string or a system DSN (data source name) to connect to a database. The former is easier to deploy since you don't have to create (and maintain) a DSN on every host.

 

To create the connection string, either refer to your:

 

Database vendors documentation

An online resource (e.g. http://www.connectionstrings.com)

Use the built-in Connection String Helper by clicking on Create

 

The Connection String Helper will setup a connection string for supported databases automatically, you will only need to specify the required parameters. If your connection string needs additional information or does not work then please edit the generated string in the main ODBC dialog manually.

 

Enhanced Security

Checking this box will prevent the connection string details from being transmitted to the remote agents for additional security. This check-box should only be checked when a collector is configured, otherwise the remote agents will not be able to connect to the database.

 

If one or more remote hosts are running an EventSentry service other than the monitoring agent (e.g. Heartbeat Agent, Network Service), then the hosts running those services will need to be configured as a Trusted Host. Trusted hosts will receive the full connection string details, even when enhanced security is enabled. To configure a host as trusted, right-click the host item in the computer group, click "Edit" and check the "Trusted Host" check box.

 

clip0065

 

warning_32

After setting up a connection to your database server, click the Initialize or Update Database button to create the database and schema.

DSN Name

As an alternative to connection strings you can also use System DSN names to connect to a database. Enter the name of a System DSN, please see Best Practices for more information on DSN names. The DSN name specified here needs to exist on every host using this action (see also: Troubleshooting).

 

You cannot specify both a DSN and a connection string.

 

Username / Password

If your data source requires a login then specify username and password. For more information on username and passwords please also read Best Practices.

 

Manage ODBC

Clicking this button will bring up the Data Source Administrator, a built-in application that ships with Windows and allows you to configure System and User DSNs. Note that this button is only active when you are connected to the local machine.

 

Initialize or Update Database

Launches the Configuration Assistant, which either creates a new database or updates an existing database to the latest schema (according to schema.xml). Launching the configuration assistant is only necessary when creating a new EventSentry action, or when the configuration assistant failed to update one more more database during an upgrade.

 

PostgreSQL Optimization

Launches the PostgreSQL Optimization dialog, which helps simplify the optimization of the built-in database.

 

General Options

 

Ignore Binary Data

Some events, usually from either the Application or System event log, have binary data associated with them. If you are not interested in consolidating binary data in the database, then you can check this check box.

 

Extended Error Logging

By default the EventSentry agent only logs connection-related database issues to the event log. By enabling extended error logging, most database errors are logged to the event log periodically.

 

Trim Windows Security Events

Many Windows security events contain non-essential descriptions after the event details. These descriptions are the same for all events of the same event id, and can use up considerable space in a database. Activating this option will automatically remove these descriptions from the event before they are logged to the database. The event descriptions remain in place for all other notification types, e.g. email. The screenshot below shows what type of information is removed from the event based on the Windows Security event 4688 which is logged when a new process is launched:

 

clip0237

 

Always Append Binary Data - REGISTRY & ADVANCED USERS ONLY

In some cases, especially when handling large amounts of large, unique and non-repetitive binary data, the EventSentry agents can pose a significant stress on the database server when the size of the ESEventlogData table gets too big. All binary data is stored in this lookup table, and the agent attempts to reuse existing rows in this table if it is encountering duplicate binary data, as is generally the case.

 

If you expect large amounts of unique binary data, then you can avoid this problem by preventing the EventSentry agent from re-using binary entries and instead appending binary data to the ESEventlogData table. This will impose less work on the database server, since the ESEventlogData table does not have to be queried as often anymore (it still has to be queried once for every binary entry).

 

To activate this option:

 

Clear the "Ignore Binary Data" check box if it is checked

Close the management console

Start regedit.exe and navigate to the registry for the action you would like to activate this for:

 

HKEY_LOCAL_MACHINE\Software\netikus.net\EventSentry\Targets\MYDATABASE

 

where MYDATABASE is the name of your database action. There, add a new DWORD value with the name of ODBC_AlwaysAppendBinaryData and set the value to 1.

 

warning_24

Click here to view a Frequently Asked Questions entry for this action.