SQL collector
Has anyone tried to use the Microsoft SQL Server collector? I am using it
to collect events on a trace that I setup on the database. I create the
Data Source with Window's 'data source administrator' without a problem and
I can even see through the SQL profiler how this Data Source connects when
I test it. However, when I configure the collector (using
T1_MSFT_SQLS_8xxx_ODBC_Wv520 with Sentinel 6.0), this one seems to start
and immediately stops without sending a single event (not even one that
indicates an error).
When I debug the collector, the same thing happens and I can see that it
does not even start the state 1 of the collector. Does anyone have a clue
as to what could be causing this? Here are the relevant logs from the
collector manager if anyone can spot something I can't. Thanks!
from the collector_mgr logs;
Thu Jun 28 16:03:29 CEST 2007|Thread-150|INFO|Updated agent
T1_MSFT_SQLS_8xxx_ODBC_Wv520
(270F1510-06D8-102A-A774-E27442632DD1).||||esecurity.ccs.comp.agentmanager. AgentManager$CollectorDataObjectListener|onNotific ation|
Thu Jun 28 16:04:54 CEST 2007|Thread-153|INFO|Updated agent
T1_MSFT_SQLS_8xxx_ODBC_Wv520
(270F1510-06D8-102A-A774-E27442632DD1).||||esecurity.ccs.comp.agentmanager. AgentManager$CollectorDataObjectListener|onNotific ation|
Thu Jun 28 16:05:28 CEST 2007|Thread-151|INFO|Checking if directory
...\data\collector_mgr.cache\collector_plugins\T1_ MSFT_SQLS_8xxx_ODBC_Wv520_9B37B4F6-597C-1029-9B4F-0014223D9DEC_54831
has hash matching
VK5mLyVFk/bXwQmUOKwfgg==.||||esecurity.ccs.comp.repository.P luginCacheManager|isUpToDate|
Thu Jun 28 16:05:28 CEST 2007|Thread-151|INFO|Local directory
...\data\collector_mgr.cache\collector_plugins\T1_ MSFT_SQLS_8xxx_ODBC_Wv520_9B37B4F6-597C-1029-9B4F-0014223D9DEC_54831
has hash value
VK5mLyVFk/bXwQmUOKwfgg==.||||esecurity.ccs.comp.repository.P luginCacheManager|isUpToDate|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|Checking if directory
...\data\collector_mgr.cache\collector_plugins\T1_ MSFT_SQLS_8xxx_ODBC_Wv520_9B37B4F6-597C-1029-9B4F-0014223D9DEC_54831
has hash matching
VK5mLyVFk/bXwQmUOKwfgg==.||||esecurity.ccs.comp.repository.P luginCacheManager|isUpToDate|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|Local directory
...\data\collector_mgr.cache\collector_plugins\T1_ MSFT_SQLS_8xxx_ODBC_Wv520_9B37B4F6-597C-1029-9B4F-0014223D9DEC_54831
has hash value
VK5mLyVFk/bXwQmUOKwfgg==.||||esecurity.ccs.comp.repository.P luginCacheManager|isUpToDate|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|Starting agent:
T1_MSFT_SQLS_8xxx_ODBC_Wv520||||esecurity.ccs.comp .agentmanager.agent.Agent|info|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Running: agentengine.exe 270F1510-06D8-102A-A774-E27442632DD1 -port
1180||||esecurity.ccs.comp.agentmanager.agent.Agen tProcess|start|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Locked:
agent-270F1510-06D8-102A-A774-E27442632DD1.lck||||esecurity.ccs.comp.agentmanage r.agent.AgentProcess|lock|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|Started agent:
T1_MSFT_SQLS_8xxx_ODBC_Wv520||||esecurity.ccs.comp .agentmanager.agent.Agent|info|
Thu Jun 28 16:05:29 CEST 2007|Thread-151|INFO|Updated agent
T1_MSFT_SQLS_8xxx_ODBC_Wv520
(270F1510-06D8-102A-A774-E27442632DD1).||||esecurity.ccs.comp.agentmanager. AgentManager$CollectorDataObjectListener|onNotific ation|
Thu Jun 28 16:05:29 CEST 2007|Thread-155|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Firing status change event: Stopped ->
Starting||||esecurity.ccs.comp.agentmanager.agent. AgentProcess|fireStatusChange|
Thu Jun 28 16:05:29 CEST 2007|Thread-156|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Firing status change event: Starting ->
Running||||esecurity.ccs.comp.agentmanager.agent.A gentProcess|fireStatusChange|
Thu Jun 28 16:05:31 CEST 2007|Timer-11|INFO|Sent 4 events in 4 batches on
channel ewizard_binary_event over 324sec, averaging 0eps and
1events/batch||||esecurity.ccs.comp.router.EventRouter|rep ortBatchStats|
Thu Jun 28 16:05:31 CEST 2007|Timer-11|INFO|Sent a total of 4 events in 4
batches over 324sec, averaging 0eps and
1events/batch||||esecurity.ccs.comp.router.EventRouter|rep ortBatchStats|
Thu Jun 28 16:05:31 CEST 2007|ReactorService|INFO|TCPSockConnectionHandler
connection
opened.||||com.esecurity.common.communication.stra tegy.tcpsockstrategy.TCPSockConnectionHandler|open |
Thu Jun 28 16:05:31 CEST 2007|ReactorService|INFO|TCPSockConnectionHandler
register.||||com.esecurity.common.communication.st rategy.tcpsockstrategy.TCPSockConnectionHandler|op en|
Thu Jun 28 16:05:31 CEST 2007|ReactorService|INFO|New connection from peer:
/127.0.0.1:1413||||com.esecurity.common.communicati on.strategy.tcpsockstrategy.TCPSockAcceptor|handle Input|
Thu Jun 28 16:05:31 CEST 2007|ENGINE_CONNECTION_SERVER|INFO|New agent
engine connection
detected.||||esecurity.ccs.comp.proxycollector.com mon.ProxyManager$EngineConnectionServer|run|
Thu Jun 28 16:05:32 CEST 2007|ENGINE_CONNECTION_SERVER|INFO|EngineConnector
created for port
270F1510-06D8-102A-A774-E27442632DD1||||esecurity.ccs.comp.proxycollector. common.EngineConnector|<init>|
Thu Jun 28 16:05:32 CEST 2007|ENGINE_CONNECTION_SERVER|INFO|Registering
engine connector 270F1510-06D8-102A-A774-E27442632DD1 with collector
270F1510-06D8-102A-A774-E27442632DD1||||esecurity.ccs.comp.proxycollector. common.ProxyManager|registerEngineConnector|
Thu Jun 28 16:05:40 CEST 2007|ENGINE_CONNECTOR
270F1510-06D8-102A-A774-E27442632DD1 Thread|INFO|Unregistering engine
connector 270F1510-06D8-102A-A774-E27442632DD1 from collector
270F1510-06D8-102A-A774-E27442632DD1||||esecurity.ccs.comp.proxycollector. common.ProxyManager|unregisterEngineConnector|
Thu Jun 28 16:05:40 CEST 2007|ENGINE_CONNECTOR
270F1510-06D8-102A-A774-E27442632DD1 Thread|INFO|Closing engine connector
270F1510-06D8-102A-A774-E27442632DD1
connections.||||esecurity.ccs.comp.proxycollector. common.EngineConnector|close|
Thu Jun 28 16:05:40 CEST 2007|ENGINE_CONNECTOR
270F1510-06D8-102A-A774-E27442632DD1 Thread|INFO|Engine connector
270F1510-06D8-102A-A774-E27442632DD1 connections
closed.||||esecurity.ccs.comp.proxycollector.commo n.EngineConnector|close|
Thu Jun 28 16:05:40 CEST 2007|ReactorService|INFO|Connection
closed.||||com.esecurity.common.communication.stra tegy.tcpsockstrategy.TCPSockConnectionHandler|hand leClose|
Thu Jun 28 16:05:40 CEST 2007|ReactorService|INFO|Key was canceled. This is
normal when connection is closed
expectedly.||||com.esecurity.common.communication. strategy.tcpsockstrategy.Reactor|runReactorEventLo op|
Thu Jun 28 16:05:40 CEST
2007|ProcessExitMonitor[T1_MSFT_SQLS_8xxx_ODBC_Wv520]|INFO|'T1_MSFT_SQLS_8xxx_ODBC_Wv520'
process
exited||||esecurity.ccs.comp.agentmanager.agent.Ag entProcess$ProcessExitMonitor|run|
Thu Jun 28 16:05:40 CEST
2007|ProcessExitMonitor[T1_MSFT_SQLS_8xxx_ODBC_Wv520]|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Unlocked:
agent-270F1510-06D8-102A-A774-E27442632DD1.lck||||esecurity.ccs.comp.agentmanage r.agent.AgentProcess|unlock|
Thu Jun 28 16:05:40 CEST
2007|ProcessExitMonitor[T1_MSFT_SQLS_8xxx_ODBC_Wv520]|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Removed:
agent-270F1510-06D8-102A-A774-E27442632DD1.lck||||esecurity.ccs.comp.agentmanage r.agent.AgentProcess|unlock|
Thu Jun 28 16:05:40 CEST 2007|Thread-157|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Firing status change event: Running ->
Stopping||||esecurity.ccs.comp.agentmanager.agent. AgentProcess|fireStatusChange|
Thu Jun 28 16:05:40 CEST 2007|Thread-158|INFO|T1_MSFT_SQLS_8xxx_ODBC_Wv520:
Firing status change event: Stopping ->
Stopped||||esecurity.ccs.comp.agentmanager.agent.A gentProcess|fireStatusChange|
Thu Jun 28 16:17:09 CEST 2007|Thread-80|INFO|Total 6 persistent maps with
0KB in 2 entries; total of 0 fetched and 0
saved||||esecurity.ccs.comp.transform.PersistentMa pManager|report|
|
Threaded Mode
