MS SQL 2008 logging through Windows Security Event Log
Is anyone able to parse the MS SQL 2008 logging, after collected with agentless collection from the Windows Server 2008 Security Event Log? It seems to me that the logformat isn't the format in both the winevent_nic XML and the mssql XML.
Hoping to bump this item -- it doesn't appear from the RSA Device Configuration documentation that the Windows Security log is supported for SQL 2008 audit events. We going to be implementing 4.0 very soon.
Is support for SQL Audit in the Event log on the roadmap? It sure would be nice to have a single way of collecting audit information for SQL Server. Plus it could open up the ability to use Snare or another Windows syslog tool to send logs to enVision.
You cannot identfy these messages by messageid like =%33205'. Because messageid doesnt contain eventid. For these messages, messageid is description of action_id. You can find descriptions by querying sys.dm_audit_actions on any MSSQL 2K8 server.
So for msg with action_id : SL then messageid will be 'SELECT' and 'SL' is stored in id variable in Database table.