- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Choose the Right Collector based on Data Sources
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Apply Antivirus Exclusions
- Migrate to the New-Scale Site Collectors Service
- Modify Collector Configuration
- Modify a Site Collector Instance
- Manage Templates
- Monitor Log Sources
- Add Filters to Set Egress Log Filtering Conditions
- New Site Collector Management Service NGSCD
- Regenerate Certificates for Collectors
- Upgrade the Site Collector
- Upgrade the Site Collector Specifications
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Set Up Microsoft SQL Collector
If you use Microsoft SQL Relational Database Management Systems (RDBMS), you can set up the Microsoft SQL collector to pull logs from your RDBM sources. The Microsoft SQL collector is a set of Site Collector flows, pre-built processors, groups, custom processors, other components, and integrations that pull logs in JSON format from your databases and push the logs to the New-Scale Security Operations Platform.
This collector supports the following Microsoft SQL database versions: Microsoft SQL 2016 SP3, 2017, 2019, and 2022.
To set up a Microsoft SQL collector:
Log in to the New-Scale Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Ensure that Site Collector is installed and in running state.
On the Site Collector page, click the Collectors Library tab, then click Microsoft SQL.
In the Definition section, enter the required information as follows.
Collector Name – Specify a name for the Microsoft SQL collector.
Note
Ensure that you specify different names for Site Collector instance and the collector.
Site Collector Instance – Select the site collector instance for which you want to set up the Microsoft SQL collector.
MS SQL Hostname or IP – Enter the IP address of the Microsoft SQL database server from which you want the Microsoft SQL collector to pull logs.
Port – Enter the port number of your Microsoft SQL server.
Database – Enter the database name of the destination.
Enable SSL – Select to enable secure connection between the Microsoft SQL collector and your Microsoft SQL server.
Click Next.
In the Authentication section, enter the username and password of an existing database user of your MS SQL server, for establishing connection with the Microsoft SQL source.
Click Next.
In the Data section, enter the required information as follows.
Fetch Interval – Select the time interval within which you want the Microsoft SQL collector to pull logs. For example: 30 sec, 1 min, 2 min, 3 min, 4 min, or5 min.
Search Query – Enter the following details:
Iterator Column – Enter the value that will be used for incremental data pull. Ensure that the column value is unique, and is returned in the query result set.
Iterator column initial value – Enter the value for the initial data pull. Use the iterator column initial value to pull historical data.
Query – Enter the Microsoft SQL query to specify the type of data that you want the collector to pull.
For example: To fetch logs from the Microsoft SQL database, use the following query.
Select * FROM <table> tmp.id > 0
where id is an iterator column
The Iterator Column value must be returned as a uniquely named column in the dataset. If you use joins, use AS to specify a rename for the iterator. For example:
Select table1.id as iterator, table2.id, table2.value from table1 join table2 on table1.id = table2.fk where table2.value > 0
Query Preview – View the preview of the query that you enter.
For example:
SELECT * FROM (SELECT * FROM <table> ) WHERE id > 0
Click Setup.
The Microsoft SQL collector is set up and is ready to pull logs from your Microsoft SQL database.
After the Microsoft SQL collector is set up, Site Collector Core starts pulling logs periodically based on the query entered by the user and uploads logs to New-Scale Security Operations Platform. If the Microsoft SQL database is not available, Site Collector core resumes pulling logs from the place where it stopped.
Note
BLOB fields collection is not supported.
In case of installation failure, the collector is disabled, and the configuration is saved. You can check the status of the collector by accessing the user interface or by using the support package.
Examples of ID-based or Time-based Microsoft SQL Queries
Refer to the following use cases for Microsoft SQL Queries that are often Id-Based or Time-Based.
ID-based Microsoft SQL Queries
In the ID- based Microsoft SQL queries, the iterator column is a sequential number as explained in the following example of Badge Access use case. In this use case, users swipe their badges at a card reader to get into the company’s entrances. This badge system has accumulated 30,000 swipes since it’s been online. Let’s pickup from what we know as a recent log count.
The query includes the following.
SELECT sequence_id, badge_number, card_reader, door_name, office_name, city_name, access_time, access_result FROM badge_accesses
Time-based Microsoft SQL Queries
In this Time-Based scenario, users swipe their badges at a card reader to get into the company’s entrances. This badge system has a lifetime of logs, yet let’s only pickup from March 1st of 2025. The default format for matching time field is a string 'YYYY-MM-DD'.
The query includes the following.
SELECT badge_number, card_reader, door_name, office_name, city_name, access_time, access_result FROM badge_accesses
