Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : SQLWRITER MessagesBase RuleGeneral Backup InformationOperations : Information
EVID 24583 : OLEDB ErrorSub RuleDatabase ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='SQLWRITER'/><EventID Qualifiers='0'>24583</EventID><Level>Error</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-19T03:32:26.000000000Z'/><EventRecordID>690584</EventRecordID><Channel>Application</Channel><Computer>_destinationHostname</Computer><Security/></System><EventData><Data>ICommandText::Execute</Data><Data>0x80040e14</Data><Data>SQLSTATE: 42000, Native Error: 3013
Error state: 1, Severity: 16
Source: Microsoft OLE DB Provider for SQL Server
Error message: BACKUP DATABASE is terminating abnormally.
SQLSTATE: 42000, Native Error: 3271
Error state: 1, Severity: 16
Source: Microsoft OLE DB Provider for SQL Server
Error message: A nonrecoverable I/O error occurred on file "{a8fbc326-221a-473c-8d56-adc4e9d4dd4f}2:" 995(The I/O operation has been aborted because of either a thread exit or an application request.).
SQLSTATE: 01000, Native Error: 4035
Error state: 1, Severity: 0
Source: Microsoft OLE DB Provider for SQL Server
Error message: Processed 0 pages for database 'msdb', file 'MSDBData' on file 1.
</Data><Binary>53514C434F4E4E43393634000000000053514C434F4E4E433932390000000000</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameSQLWRITER<vendorinfo>Text/String
EventID Qualifiers24583<vmid>Number
LevelError<severity>Text/String
Computer_destinationHostname<dname>Text/String