This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Getting MS SQL Servers to send logs to Security Analytics

RSAAdmin
Beginner
Beginner

‎2014-10-17 06:34 AM

Hi,


I am facing issue while configuring sql servers for security analytics. In most of my attempts, they work initially and stop working in few days due to issue with fetching trace files.

 

Is this issue common with everyone or I am the only unlucky one?

 

Can someone provide me the procedure which are commonly followed for this so that I can confirm if I am on the right track? Please suggest some troubleshooting steps also if anyone have faced similar issues.

 

Thanks

0 Likes
20 REPLIES 20

RSAAdmin
Beginner
Beginner

‎2014-10-20 11:57 AM

Are you using trace collection?

 

If so then trace files must be filling up disk space before they can be read by envision.

You need to either increase disk space on drrive or change audit rules. By default everytihng is audited.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-25 03:55 AM

@rahul130191

 

if you want to detect MSSQL logs as MSSQL device type then i would suggest you use ODBC collection method and for the auditing of database use sqlserveraduit"version".sql file and enable the logs that you want to generate on database.

 

just follow the PDF that is provided by huehms.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-27 04:14 AM

Hello Rahul,

 

If you want to restart the ODBC collection service, first you need to select the device either log collector or virtual log collector, and then you need to go to System > Collection > and then select the collection type and then do stop or start.

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-29 12:51 PM

@Lalitkanteti,

 

how we can configure, to delete the trace files after collecting logs from tracefiles?

 

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-10-29 03:40 PM

Through query (gots file), we pass values to stored procedure. By default delete option (3rd value) is set to 1. If its set to 0 then files will not be deleted.  If its set to 1 and files are not getting deleted then there is some problem. I suggest contacting customer support for further assistance.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-30 01:36 AM

@lalitkanteti,

 

is that .dll file ?

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-10-30 03:38 PM

gots file is query you select in envision for ODBC collection. You can view it under System Configuration -> Services -> Universal Device Collection -> Manage ODBC Types

 

dll file is very specific to MSSQL collection. It is also required for deleting trace files.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-10-30 04:46 PM

Hi lalitkateti,

 

I am using RSA security analytics and i am not able to find any delete configuration on log collector side.

 

 

 

Sent from my iPhone

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-11-02 08:48 PM

can you tell me how to configure the windows device for multi-device collection on envision side?

 

Also, as you mentioned SQL 2008 onwards do not need to be configured separately and can be collected under windows device itself, does it apply to windows server 2008 or even 2003 as well? because I have a few instances where SQL 2008 is installed over windows 2003 as well...

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-11-05 01:22 PM

Click on your device under system configuration-managed monitored. Look for Multi-device check box

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.