https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88333#M5804 <P>Hi,<BR /> I am new to Splunk, recently i installed Splunk server on one of the linux machine and it's working fine.<BR /> 1) I want to monitor Micorsoft sql and oracle database (Users activity, running query, create database, tables etc.)<BR /> 2) How to add remote machine data, log in to splunk server (Forwarder already installed on client machine)</P> <P>Please help me to solved the issues.</P> <P>Thanks in advance.</P> <P>Regards,<BR /> Catch_mili</P> Fri, 12 Oct 2012 09:09:58 GMT catch_mili 2012-10-12T09:09:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88333#M5804 <P>Hi,<BR /> I am new to Splunk, recently i installed Splunk server on one of the linux machine and it's working fine.<BR /> 1) I want to monitor Micorsoft sql and oracle database (Users activity, running query, create database, tables etc.)<BR /> 2) How to add remote machine data, log in to splunk server (Forwarder already installed on client machine)</P> <P>Please help me to solved the issues.</P> <P>Thanks in advance.</P> <P>Regards,<BR /> Catch_mili</P> Fri, 12 Oct 2012 09:09:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88333#M5804 catch_mili 2012-10-12T09:09:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88334#M5805 <P>For Microsoft SQL, create an Audit Policy on your SQL Server and configure it to write to the Application or Security Windows Event Log. The logs will appear (eventually) as event code 33005 in the windows event log. Once you have that going, install the Splunk Universal Forwarder on the host and set it up to monitor the WinEventLog:Application and WinEventLog:Security - you can do this simply by installing the Splunk_TA_windows available from <A href="http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on" target="_blank">http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on</A></P> <P>Audit in Oracle is a little harder, but still relatively simple. Set up the audit to write to an XML file or the OS, in which case (on Windows) it writes to the WinEventLog:Security. You can read about it here: <A href="http://www.oracle-base.com/articles/10g/auditing-10gr2.php" target="_blank">http://www.oracle-base.com/articles/10g/auditing-10gr2.php</A></P> <P>To the second part of your question, assuming you have installed the Universal Forwarder, you need to configure an outputs.conf to redirect the logs to your Linux indexer. Set up a receiver on your Linux indexer (see <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Enableareceiver" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Enableareceiver</A> ), ensuring that any host-based firewall (e.g. iptables) is also configured appropriately so you can listen on the TCP port. Then set up outputs.conf (See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd</A> ) to send the logs over to your indexer.</P> Mon, 28 Sep 2020 12:37:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88334#M5805 ahall_splunk 2020-09-28T12:37:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88335#M5806 <P>@ahall_splunk thanks for your reply. But, I want few queries <BR /> 1) There is need to create an audit policy ? without that there is any other way?<BR /> 2) If my database doesn't provide logs (for security purpose we disabled logs from oracle as well as Microsoft SQL database), still we can monitor that databases using splunk???</P> <P>Regards,<BR /> catch_mili</P> Mon, 29 Oct 2012 06:11:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88335#M5806 catch_mili 2012-10-29T06:11:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88336#M5807 <P>1) Correct - in order to get what a user is running, you need to create an audit log.<BR /> 2) The audit log is produced via Windows Event Log in the case of SQL Server, so a log "file" is not produced - the .evtx files are controlled through the normal Windows Event Log process.</P> Mon, 29 Oct 2012 15:58:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88336#M5807 ahall_splunk 2012-10-29T15:58:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88337#M5808 <P>Hi ahall_splunk,<BR /> Thanks for reply.</P> <P>catch_mili</P> Wed, 31 Oct 2012 06:57:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Microsoft-sql-and-Oracle-database-application/m-p/88337#M5808 catch_mili 2012-10-31T06:57:45Z