Hello guys,
I'm working on monitoring our mssql error logs and running into a probably simple issue but I'm stumped.
I'm searching for something like this:
sourcetype=mssql:errorlog error_id=17806
Which returns this:
2016-10-03 14:30:37.77 Logon Error: 17806, Severity: 20, State: 14.
However there is one event just above it that looks like this:
2016-10-03 14:30:37.77 Logon SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the
Which gives us the error message: Notice the time stamp of "2016-10-03 14:30:37.77"
So I came up with this:
sourcetype=mssql:errorlog | eval event_time=strftime(_time,"%F %H:%M:%S.%2N") | search [ search sourcetype=mssql:errorlog error_id=17806 | eval event_time=_time | convert timeformat="%F %H:%M:%S.%2N" ctime(event_time) | fields event_time]
Logic here is we do a sub search for the _time value against all events. Which works, but now we are getting:
2016-10-03 14:30:37.77 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 192.168.112.94]
2016-10-03 14:30:37.77 Logon Error: 18452, Severity: 14, State: 1.
2016-10-03 14:30:37.77 Logon SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: 192.168.112.94]
2016-10-03 14:30:37.77 Logon Error: 17806, Severity: 20, State: 14.
Which returns additonal events with the time stamp "2016-10-03 14:30:37.77", how else might we achieve this to accurately match the single error_id with the prior event without returning additional events in the same time?
Thanks
↧