This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Getting MS SQL Servers to send logs to Security Analytics

RSAAdmin
Beginner
Beginner

‎2014-10-17 06:34 AM

Hi,


I am facing issue while configuring sql servers for security analytics. In most of my attempts, they work initially and stop working in few days due to issue with fetching trace files.

 

Is this issue common with everyone or I am the only unlucky one?

 

Can someone provide me the procedure which are commonly followed for this so that I can confirm if I am on the right track? Please suggest some troubleshooting steps also if anyone have faced similar issues.

 

Thanks

0 Likes
20 REPLIES 20

RSAAdmin
Beginner
Beginner

‎2014-10-17 11:10 AM

Have you leveraged the latest MS SQL event source configuration guide? You can find this here:

 

http://sadocs.emc.com/@api/deki/files/40490/Microsoft_SQL.pdf

0 Likes

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2014-10-17 11:11 AM

rahul130191,

 

If you are looking for the specific event source configuration guide you can find them here, https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9838, This is the Secure Care Online documentation for Security Analytics Event Source Configurations.

 

jkisner

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-10-17 11:21 AM

Yes, I have used this guide only. 1 thing I couldn't understand is how to restart the ODBC collection service as that is the only thing I have not done. Can you help with that?

0 Likes

RSAAdmin
Beginner
Beginner
In response to JohnKisner

‎2014-10-17 12:05 PM

This link still does not have many devices. Like IBM Switches and storages. Is there any configuration guides for these? Couldn't find MS SQL here also though but found it through google.

0 Likes

Anonymous
Not applicable

‎2014-10-20 08:29 AM

For a lot of this it's useful if you have access to EnVision and can translate the EnVision integration guides.  Also for MSSQL, if you use the Windows Event logs or SNARE to forward them, they will appear with a device.type of winevent_snare (or whatever it is for native collection) and event.source of 'mssqlserver', rather than a device.type of mssql.

 


0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-10-20 08:59 AM

Just to be sure, do you mean that if I am using windows snare to forward the windows logs on the server, it will simultaneously forward the ns sql logs as well??

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-20 09:03 AM

You might need the snare paid agent (the free version only forwards System, Application and Security logs), and you'll need to make sure MSSQL server is configured to audit to the windows log.

 

Check for the events on the windows log and the event.source being populated to see if it's working.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-10-20 09:04 AM

Well, the reason I was confirming is I can see it happening in one of the server I have configured but not in all. The logs are coming in the form of windows message IDs related to MS SQL Server.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-10-20 11:53 AM

Rahul

 

By default some mssql event are written to windows event log by default. MSSQL 2008 onwards you can configure sever and/or database audits. They can be written to windows eventlog as well.

With windows native collection, these events will be written under windows device. You need to update device to multi device on envision side to parse to into mssql device.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.