Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Bechara
Vice Admiral
Vice Admiral
‎2014-05-06 20:56
917 views

SQL trace file

Why should we wait for the trace file to be 1MB of size in order to be processed by the smart connector?  this makes logs coming from SQL are not live events.

Is there any option that can be changed to make the smart connector process the trace file directly?

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
8 Replies
osunjio1
Absent Member.
Absent Member.
‎2015-01-27 18:48

Please can you direct me to where this is documented ( trace file been 1MB ). I have similar issue where my DBA set trace file to 200MB                  and have been begging them to reduce it , maybe that will work.

Thanks.

0 Likes
Reply
Report Inappropriate Content
arturp1
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
‎2015-01-27 20:17

Are you talking about sql server? why don't you use multidb flexconnector to extract events quering the db?

0 Likes
Reply
Report Inappropriate Content
pratikinamdar
Absent Member.
Absent Member.
‎2015-06-01 22:37

Hi,

Is your question satisfactorily answered?

Thanks,

Pratik

0 Likes
Reply
Report Inappropriate Content
sandeepu
Absent Member.
Absent Member.
‎2016-03-31 08:24

Hi Everyone,

We have the same kind of problem. Is there any way to reduce the file size with in 1 MB.

Reason to decrease the file size is, some DB's will generate very few logs, if we wait for the file to become 1MB, is is taking 3-4 days. We need to decrease this file reading size.

Please suggest.

Thanks,

Sandeep

0 Likes
Reply
Report Inappropriate Content
sandeepu
Absent Member.
Absent Member.
‎2016-04-11 10:43

Dears,

Does anyone have solution for this.

Thanks,

Sandeep N

0 Likes
Reply
Report Inappropriate Content
olin9
Absent Member.
Absent Member.
‎2016-08-15 19:28

You cannot do live collection with trace files that are locked by the database.

The Arcsight connector uses the share location to try and rename the trace file to determine if the file is lock by the database. If the file can be renamed the connector marks the file as readable.

Readable files are then collected via the OBDC and then renamed or deleted based on your settings.

The logs would only be behind based on the amount of time they are locked. The default is 1 hour or until they hit your max setting, which sound like you have it at 1 MB.

If you have 2005 and up SQL server you may be able to send the logs to Windows event log instead of trace files. then you would be able to read logs in real time.

Hope this helps,

Rob

0 Likes
Reply
Report Inappropriate Content
infosec_pro
Cadet 3rd Class
Cadet 3rd Class
‎2016-09-21 07:23

Hi Rob,

How would you send the logs as a Windows event instead of trace files?

Thank you.

0 Likes
Reply
Report Inappropriate Content
Lar
Admiral
Admiral
‎2016-09-21 07:35

Hello Vincent,

You might consider the following option:

https://www.protect724.hpe.com/docs/12162

This setup requires this connector ->

It uses a Microsoft API in conjunction with the event manager. There are a few caveats for its use, it needs to be installed in a Windows 64 bit OS which has .net frame work installed.

The first link is a supplement to the sent link provided. Best to start with 2nd link to check further requirements and configurations.

Hope this helps

Lar

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.