You need to add a SQL Server TFC Log Source to a LogRhythm System Monitor to collect converted SQL Server trace file data.
- Log in to the Client Console as a Global Administrator, and then click Deployment Manager.
- Click the System Monitors tab.
- Double-click the System Monitor Agent that will be collecting converted trace file data.
The System Monitor Agent Properties window appears.
- Click the Agent Settings tab.
- Right-click anywhere in the Log Sources list, and then click New.
- Click the Basic Configuration tab.
- Click the browse button to the right of the Log Message Source Type box.
The Log Source Type Selector window appears.
- Type C2 Audit in the Text Filter box, and then click Apply.
In the Log Source Type list, select the appropriate LogRhythm SQL Server C2 Audit Log type, as follows:
SQL Server Version Log Source Type 2005 LogRhythm SQL Server 2005 C2 Audit Log 2008, 2008 R2 LogRhythm SQL Server 2008 C2 Audit Log 2012, 2014 LogRhythm SQL Server 2012 C2 Audit Log
- After selecting the Log Source Type, click OK.
- Modify the default name and enter a brief description for the new Log Source.
- Under Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- Click the Flat File Settings tab.
- In the File Path box, type or paste the full path to the converted data directory specified in lrtfc.ini.
- You must do one of the following to ensure that all converted files are collected:
- Include the *.cnv wildcard in the path.
- Select the Is Directory check box under Directory Collection.
- Click the ellipsis button next to the Date Parsing Format box.
The Date Format Manager is displayed.
- Locate and select the LogRhythm SQL Server C2 Audit Log entry, and then click OK.
- Type or paste ^\SQLSVRTRC TIMESTAMP in the Log Message Start Regex box.
This regular expression enables the System Monitor to identify mult-line log messages as single, autonomous log messages.
- Click OK to save your changes to the Log Source, and then click OK to close the System Monitor Agent Properties window.