Set up MSSQL 2005, need help.
Hi, I have a problem and i need a help from community, because support said me "I am afraid this is not something that support can do in detail for you , you will have to get on envision training for this."
But it is impossible, and no one never get money for study envision.
Now i try to describe my issue:
I am trying to set up an opportunity to get events from MSSQL 2005 with SQL guys.
We choose ODBC connection for collecting events, he set up MSSQL and I set up Envision follow by manual.
But, now i see in Envision in real time somethink like that:
7 2012/07/17 08:59:06.648 CEST 126.96.36.199 %MSSQL-17: 17||(null)||audit_reader||57||2012-07-17 08:58:51.790||(null)||1||(null)||(null)||(null)||2656||(null)||(null)||(null)||(null)||(null)||(null)||(null)||(null)||(null)||(null)||(null)||(null)||4096||GBW04091\NIF||(null)||(null)||(null)||(null)||(null)||(null)||master||(null)||(null)||(null)||(null)||(null)||D504ECC60C2E824B9A0AC3DFB798B5C8||(null)||(null)||(null)||2000002838F4010000000000||-- network protocol: TCP/IP set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed
All messages have red color, and they have many "null" records, and of course Database table is clear.
I know that exist mssql.xml but i don't understand how it works. The RSA envision manuals don't describe so deep mechanism.
It will be great if someone share himself experience with me.
We also have this same issue, on SQL Server 2000, 2005, and 2008. The entries are all red, mostly nulls, and don't seem to have any actual useful data in them. Support was also clear that as long as it was pulling something, their job was done. Anyone else out there have MSSQL logging working, pulling useful events (permission changes/watching specific tables for changes, etc)?
The reason you are seeing fields with a NULL value is because not all fields in the table will be populated with data depending on the information (log messages) collected.
The types of messages that are being collected are specified by the sqlserveraudit2005.sql file that was applied to the SQL server. That file includes nearly every database auditing type of message in it's specifications and therefore a lot of the messages may not be useful at all. A SQL administrator should be able to evaluate the fields that are specified in the sqlserveraudit2005.sql file and comment out all message types that are not required. This method will also be helpful in reducing the amount of EPS from your SQL devices to enVision.
I'm sorry I can answer for why the events are appearing in red in the analysis window, but I hope the information listed above helps.