This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-07-27 06:47 AM

MS SQL 2008 logging through Windows Security Event Log

Hi,

 

Is anyone able to parse the MS SQL 2008 logging, after collected with agentless collection from the Windows Server 2008 Security Event Log? It seems to me that the logformat isn't the format in both the winevent_nic XML and the mssql XML.

 

Regards,

Rudi

 

0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2011-04-19 04:23 PM

Hoping to bump this item -- it doesn't appear from the RSA Device Configuration documentation that the Windows Security log is supported for SQL 2008 audit events. We going to be implementing 4.0 very soon.

 

Is support for SQL Audit in the Event log on the roadmap?  It sure would be nice to have a single way of collecting audit information for SQL Server.  Plus it could open up the ability to use Snare or another Windows syslog tool to send logs to enVision.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-04-10 12:17 PM

I have been working on this and using the document from the RSA Downloads area (RSA enVision Event Source Microsoft SQL Server Configuration Instructions and Release Notes Last Modified: Thursday, January 05, 2012) I have configured the device and can see the events being pulled into envision using the NIC service and can query them via the event viewer carrying the 33205 ID, but I am not able to return any results using the accurate query for message ID "LIKE=%33205". I have been working with the support folks and have yet to resolve the issue. I will circle back to share my results when resolved as this may help others. Just to be sure I am clear, this is to collect Windows Events from the Security log written by SQL on a 2008R2 server. --Chad
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2012-04-18 02:51 PM

Chad,

 

You cannot identfy these messages by messageid like =%33205'. Because messageid doesnt contain eventid. For these messages, messageid is description of action_id. You can find descriptions by querying sys.dm_audit_actions on any MSSQL 2K8 server.

 

So for msg with action_id : SL then messageid will be 'SELECT' and 'SL' is stored in id variable in Database table.

 

 

Lalit

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.