PostgreSQL Events connector for Microsoft Sentinel
PostgreSQL data connector provides the capability to ingest PostgreSQL events into Microsoft Sentinel. Refer to PostgreSQL documentation for more information.
Connector attributes
| Connector attribute | Description |
|---|---|
| Kusto function alias | PostgreSQLEvent |
| Kusto function url | https://aka.ms/sentinel-postgresql-parser |
| Log Analytics table(s) | PostgreSQL_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
PostgreSQL errors
PostgreSQLEvent
| where EventSeverity in~ ('ERROR', 'FATAL')
| sort by EventEndTime
Vendor installation instructions
Note
This data connector depends on PostgreSQL parser based on a Kusto Function to work as expected. This parser is installed along with solution installation.
- Install and onboard the agent for Linux or Windows
Install the agent on the Tomcat Server where the logs are generated.
Logs from PostgreSQL Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
Configure PostgreSQL to write logs to files
Edit postgresql.conf file to write logs to files:
log_destination = 'stderr'
logging_collector = on
Set the following parameters: log_directory and log_filename. Refer to the PostgreSQL documentation for more details
- Configure the logs to be collected
Configure the custom log directory to be collected
- Select the link above to open your workspace advanced settings
- From the left pane, select Settings, select Custom Logs and click +Add custom log
- Click Browse to upload a sample of a PostgreSQL log file. Then, click Next >
- Select Timestamp as the record delimiter and click Next >
- Select Windows or Linux and enter the path to PostgreSQL logs based on your configuration(e.g. for some Linux distros the default path is /var/log/postgresql/)
- After entering the path, click the '+' symbol to apply, then click Next >
- Add PostgreSQL as the custom log Name (the '_CL' suffix will be added automatically) and click Done.
Validate connectivity
It may take upwards of 20 minutes until your logs start to appear in Microsoft Sentinel.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for