2014-10-17 06:34 AM
Hi,
I am facing issue while configuring sql servers for security analytics. In most of my attempts, they work initially and stop working in few days due to issue with fetching trace files.
Is this issue common with everyone or I am the only unlucky one?
Can someone provide me the procedure which are commonly followed for this so that I can confirm if I am on the right track? Please suggest some troubleshooting steps also if anyone have faced similar issues.
Thanks
2014-10-17 11:10 AM
Have you leveraged the latest MS SQL event source configuration guide? You can find this here:
http://sadocs.emc.com/@api/deki/files/40490/Microsoft_SQL.pdf
2014-10-17 11:11 AM
rahul130191,
If you are looking for the specific event source configuration guide you can find them here, https://knowledge.rsasecurity.com/scolcms/set.aspx?id=9838, This is the Secure Care Online documentation for Security Analytics Event Source Configurations.
jkisner
2014-10-17 11:21 AM
Yes, I have used this guide only. 1 thing I couldn't understand is how to restart the ODBC collection service as that is the only thing I have not done. Can you help with that?
2014-10-17 12:05 PM
This link still does not have many devices. Like IBM Switches and storages. Is there any configuration guides for these? Couldn't find MS SQL here also though but found it through google.
2014-10-20 08:29 AM
For a lot of this it's useful if you have access to EnVision and can translate the EnVision integration guides. Also for MSSQL, if you use the Windows Event logs or SNARE to forward them, they will appear with a device.type of winevent_snare (or whatever it is for native collection) and event.source of 'mssqlserver', rather than a device.type of mssql.
2014-10-20 08:59 AM
Just to be sure, do you mean that if I am using windows snare to forward the windows logs on the server, it will simultaneously forward the ns sql logs as well??
2014-10-20 09:03 AM
You might need the snare paid agent (the free version only forwards System, Application and Security logs), and you'll need to make sure MSSQL server is configured to audit to the windows log.
Check for the events on the windows log and the event.source being populated to see if it's working.
2014-10-20 09:04 AM
Well, the reason I was confirming is I can see it happening in one of the server I have configured but not in all. The logs are coming in the form of windows message IDs related to MS SQL Server.
2014-10-20 11:53 AM
Rahul
By default some mssql event are written to windows event log by default. MSSQL 2008 onwards you can configure sever and/or database audits. They can be written to windows eventlog as well.
With windows native collection, these events will be written under windows device. You need to update device to multi device on envision side to parse to into mssql device.