Override UDLA SQL
The LogRhythm Client Console modifies the Query Statement entered in the UDLA tab. The result can cause the test to fail for a small number of databases or ODBC drivers. When this occurs, you can prevent the modification by using the UDLA SQL Override feature.
In LogRhythm, state is a unique timestamp or incrementing value that helps identify what has been collected from a UDLA log source. The first time a System Monitor Pro or Collector Agent connects to a UDLA log source, all the rows in the target table are collected using a SELECT statement. Subsequent connections retrieve new, uncollected rows using the same SELECT statement in conjunction with the state variable. When you use the Override feature, you must provide two SELECT statements - the initial one and one with the state variable.
The Override feature has the following requirements:
- You must enter two override SQL queries - OVERRIDE1 and OVERRIDE2 - or the validation will fail.
- The format of the Query Statement field should be <OVERRIDE1> Query1 <OVERRIDE2> Query2.
- OVERRIDE1 must have the <Max_Message_Count> tag.
- OVERRIDE2 must have the <Max_Message_Count> and the <State> tags. It is the same as OVERRIDE1 with a WHERE clause to evaluate state
- If the state field type is increment, the WHERE clause should use ‘>’ (greater than).
- If the state field type is timestamp, the WHERE clause should use ‘>=’ (greater than or equal to).
Example 1
If you enter this string in the Query Statement and it fails to validate:
SELECT TOP <Max_Message_Count> column1_LogID, column2_EventName FROM table_AuditLog
Enter the following SQL Override:
<OVERRIDE1> SELECT TOP <Max_Message_Count> column1_LogID, column2_EventName FROM table_AuditLog
<OVERRIDE2> SELECT TOP <Max_Message_Count> column1_LogID, column2_EventName FROM table_AuditLog WHERE column1_LogID > <State>
Example 2
If you enter this string in the Query Statement and it fails to validate:
SELECT TOP <Max_Message_Count> column1_EventDateTime, column2_EventName FROM table_AuditLog
Enter the following SQL Override:
<OVERRIDE1> SELECT TOP <Max_Message_Count> column1_EventDateTime, column2_EventName FROM table_AuditLog
<OVERRIDE2> SELECT TOP <Max_Message_Count> column1_EventDateTime, column2_EventName FROM table_AuditLog WHERE column1_EventDateTime>=<State>