By default, events are written to CanaryEvents.sqlite located in C:\ProgramData\Canary Labs\Events. This article explains how to instead write events to an external SQL database.
Create the file, CanaryEvents.exe.admin within the same directory as the CanaryEvents.exe. By default, this is located in C:\Program Files\Canary\Events if using v20.2 or later. Previous versions are located in C:\Program Files\Canary Labs\Canary Admin.
<SQLServer> - used to specify the server name where the SQL server resides. If the SQL server is local to the Canary Events service a period can be used in place of "machineName".
<Database> - the name of the database to be created in the SQL server that will store the events.
<User> & <Pwd> - the account credentials used to create and write events to the SQL server. By default, the Canary Events service runs under the Local System account. If the events service is configured to run under another service account which has permissions to the SQL server, these credentials are not required.
Once the file is configured, restart the Canary Events service. The tables are created automatically as long as the account has the correct permissions and should look like this:
If the user account does not have permissions to create the tables in the database the attached scripts can be used to create them.