Collecting Events from Databases and Database-Reliant Applications
There are lots of Applications we don't support out of the box that use an ODBC database as a back end for logging. This doesn't mean you can't collect those logs in enVision.
You can use enVision's Universal Device Collection (UDC) capability to pull in the logs.
The ODBC configuration is fairly standard, but there can be a lot of nuances. ODBC collection involves "pulling" information out of the remote database using a query that will need to be configured in the Manage ODBC Device Types interface in enVision.
At a high-level, the basic configuration procedure is:
- Install and/or configure the necessary ODBC driver for the operating system on the enVision collector
- Create an ODBC Device Type in enVision (including a query)
- Manage an ODBC Connection in enVision
See the attached slide deck for more information.
No - our MSSQL device configuration is a special case in that regard.
You do not need to define a trace script for a generic ODBC database extraction.
This holds true for data extractions from other tables built into a MSSQL - no special script necessary.
This is most helpful since my organization will pressing into Database event collection in 2009. Thank you for posting this information.
Are there any nuances that are specific to Oracle or SQL that are things we should avoid or are best practices when configuring the UDS?
IMHO collecting DB logs to any SIEM directly is useless. Those audit logs does not usually provide useful audit information since they do not provide information about actual user who is accessing that data (modern applications use generic accounts and connections pools to receive data from DB).
Moreover, DBAs and SAs are usually reluctant to turn on auditing on production servers, since DB auditing is extremely recources hungry.
I would recommend to use specialized database activity monitoring solution (there are some on the market) and then forward some of collected data do SIEM. They are much more powerfull then audit logs and can provide you with information about application users.
You can also save some money on EPSs, when You use DAM instead of fine grained auditing.
I'm starting to lean towards the same conclusion you have gstefan, but it woud be nice to hear how everyone else is handling the db-audit problem. To collect connection pooling accounts doing a lot of things, does not provide very much value. From our perspective, the interesting things are the things an dba or other people having accounts in the database are doing. We are looking at some product at the moment, but have not decided upon anything yet. Anybody having any experiences within this area and specially integrating this with enVision?
Thanks in advance,
I have experience in Guardium product. We planned to integrate it with envision and we did it through CSV files for audit data and syslog for alarms. Finaly customer did not decide to integrate reporting, since Guardium's reporting is really robust. Alarms and incident management were not important also for them.
This product is capable to monitor local session like DBQ, shared memory etc. for all major DBs and platforms, even for MySQL or DB2 on mainframes. If want some more information please contact me on priv.
I tried to add a MSSQL 2000 device yesterday and it hasn't shown up yet. I created the ODBC Type and Manage ODBC section, as well as installed the SFTP agent. Also executed the SQL2000 script on the SQL server. Not sure if the data query is correct in the ODBC Type. I went with the generic info from the pre-created MSSQL type.
Also, does it have to run against the Master database?