UDLA Collection
You can configure the Windows System Monitor Pro or Collector Agent to collect data from database tables, usually targeting tables that contain database audit or log data. LogRhythm stores the data from a table row as a log to allow analysis tools such as Investigator or Tail to review the information. Universal Database Log Adapter (UDLA) logs are treated as any other log types; they can be forwarded as events, associated with alarms, and archived.
UDLA Data Collection Prerequisites
Database Table
Two database table prerequisites must be met before LogRhythm can collect data. The table must have:
- Either a primary key column or a concatenation of columns that creates a unique identifier for each row.
- A column with an incrementing integer or a date/time stamp so that the table order can be determined.
A single column may be able to satisfy both requirements. The System Monitor Pro or Collector Agent uses the concept of state to know which rows of data have been collected from a table by tracking table sequence and by using the unique identifier. If a column is an auto-incrementing number for each row, and therefore unique in the table, it both defines the order of the data and provides the unique identifier. It can be used in the Unique Identifier Field and in the State Field of the UDLA settings.
For example, when a table has a primary key column which contains a unique, increasing value, this column can be used for the Unique Identifier Field and the State Field.
This sample contains one day of log traffic, where an event was logged every six hours.
| Key | Date | Time | Log |
|---|---|---|---|
1 | 01/01/2009 | 01:01:01 | An event has occurred. |
2 | 01/01/2009 | 07:01:01 | An event has occurred. |
3 | 01/01/2009 | 13:01:01 | An event has occurred. |
4 | 01/01/2009 | 19:01:01 | An event has occurred. |
5 | 01/01/2009 | 01:01:01 | An event has occurred. |
Corresponding UDLA Settings:
| UDLA Settings | Column(s) |
|---|---|
Unique Identifier Field | Key |
State Field | Key |
State Field Type | Increment |
When there is no primary key column, a concatenation of columns can be used if doing so uniquely identifies all rows. Here, the System Monitor Pro or Collector Agent tracks collection state by using the unique identifier plus the State Field, which must either be an increasing integer or date/time stamp.
For example, given the table below with the columns Date, Time, and Log, the concatenation of the Date and Time columns meet the prerequisite for a unique identifier. The State Field must always either be an incrementing integer or a date/time stamp, so the Date column meets the other requirement.
This sample contains one day of log traffic, where an event was logged every six hours.
| Date | Time | Log |
|---|---|---|
01/01/2009 | 01:01:01 | An event has occurred. |
01/01/2009 | 07:01:01 | An event has occurred. |
01/01/2009 | 13:01:01 | An event has occurred. |
01/01/2009 | 19:01:01 | An event has occurred. |
01/02/2009 | 01:01:01 | An event has occurred. |
Corresponding UDLA Settings:
| UDLA Setting Name | Column(s) |
|---|---|
Unique Identifier Field | Date, Time |
State Field | Date |
State Field Type | Timestamp |
ODBC and OLE DB Drivers Availability
ODBC/OLE DB drivers must be installed and configured prior to data collection. They are available from the website of each supported database vendor:
- Microsoft SQL Server 2016 SP2
Oracle 9i, 10g, 11g
Oracle does not support Windows Server 2008 R2.
- IBM DB2 v9
- IBM DB2 v8
- MySQL
System Monitor Pro or Collector Agent Host
The System Monitor Pro or Collector Agent requires that an OLE DB or ODBC driver be installed on the Agent host to connect to the specified Database Management System. A 64-bit System Monitor Agent is required.
Test Feature
The Test feature requires that the appropriate ODBC or OLE DB driver be installed on the Client Console host.