- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- MS SQL APP without data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MS SQL APP without data
Hi all,
I am new here. I just using Splunk App for Microsoft SQL Server but without any data.
1 My splunk server version is 5.0.6
2 windows 2008 server sp2 + MS SQL 2008 server enterprise
3 I followed all step of installation document. I do see security eventcode 33205
When I using sourcetype="WinEventLog:Security" at splunk search bar , I got the following result.
12/08/2013 08:52:05 PM
LogName=Security
SourceName=MSSQLSERVER$AUDIT
EventCode=33205
EventType=0
Type=info
ComputerName=WIN-DZ8JDWE5XJV
User=Administrator
Sid=S-1-5-21-452095144-2453852085-683102615-500
SidType=1
host=WIN-DZ8JDWE5XJV sourcetype=WinEventLog:Security source=WinEventLog:Security
When I run the lookup generator on this app, I got no result of all 5 lookup.
Does anybody know what should I do or missing something? Please advise.
Thank you very much!
Anthony
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured this one out, finally. Here's what I did:
Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator
PS C:\>Get-Execution Policy
If it's Restricted, then do the following:
PS C:\>Set-Execution Policy Bypass
Say Yes to the Execution Policy Change.
Then run Get-ExecutionPolicy and see that it changed to Bypass:
PS C:\> Get-ExecutionPolicy
Bypass
Once you have that done, now you'll need to make one more change.
Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITY\SYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian: http://answers.splunk.com/answers/108974/problem-with-powershell-and-splunk_for_sqlserver-app)
Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)
Lastly, you can run the search:
index=mssql | stats count, values(sourcetype) by host
You should see the following source types show up:
MSSQL:Database:Health
MSSQL:Host:Memory
MSSQL:Instance:Service
MSSQL:Instance:User
Powershell:ScriptExecutionSummary
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am seeing the below; WinEventLog:Application
WinEventLog:Security
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Anthony I am also a newpie for splunk and even i am facing same issue which you have mentioned above ,can you please help out to resolve this issue if you have found any solution for this
Can someone do the needful help for us to resolve this issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to say one thing. MS SQL APP version is 0.1.7 which supports splunk 5.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
