0

I want to create a centralized log with graylog and log collectors such as filebeats or nxlogs. I know Microsoft SQL Server extended events creates .XEL files. but they are binary files.

Is there any clean way to read this xel files by filebeats or nxlog or any other tools and send it to graylog?

Arash Mousavi
  • 2,110
  • 4
  • 25
  • 47
  • 3
    You can use the [.NET QueryableXEventData class](https://learn.microsoft.com/en-us/dotnet/api/microsoft.sqlserver.xevent.linq.queryablexeventdata) to read xel files programmatically in .NET code or PowerShell script. For your needs, I think it would be easiest to create a text file from the XE data for ingestion by your tools. – Dan Guzman Feb 09 '19 at 13:40

1 Answers1

3

With nxlog you could use the im_exec module and write a script (as suggested by @dan-guzman) that would convert the .xel files into a text based format. The other option could be using the Event Tracing for Windows Target with the im_etw input module to can collect ETW events.

b0ti
  • 2,319
  • 1
  • 18
  • 18
  • I have bee trying to set up the im_etw module and basically everything seems to be alright but I'm not getting any output from ncLog. nxLog is working as I get output from e.g. sql server error log. I have been trying with different providers without any success. Do you know which etw provider you should use with extended events? – Peter Å Jun 23 '20 at 07:30