All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-On For MS SQL Server

hectorvp
Communicator
‎10-29-2020 10:47 PM

Hello Splunkers,

We need to fetch MS SQL logs into our Splunk.

We aren't allowed to use Splunk DB Connect for some security reasons.

Currently what we are deciding is to log all MS SQL audit events, trace events in Standard Windows Application events logs.

And fetch logs from  Windows Application Logs by UF.

Will this  "Splunk Add-On For MS SQL Server"  helpful for us in any way now? I guess this add on has dependency on "Splunk DB Connect".

I'm afraid with one more aspect that is  will all fields  of MS SQL  audit events be parsed????

 Please check this community link, regarding parsing issue

https://community.splunk.com/t5/Splunk-Enterprise-Security/Monitoring-MS-SQL-logs-from-Windows-Event... 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2020 12:54 AM

Hi @hectorvp,

I didn't used this Add-on yes so I'm not sure about it.

Anyway, you could write SQL logs in a file using a store procedure and then read the file, then, after few minutes, delete the file.

Ciao.

Giuseppe

Reply

hectorvp
Communicator
‎10-30-2020 01:18 AM

Hi @gcusello , 

No worries, you always help us a lot.

Just one aspect with my above issue, if you can check the community link I'd pasted above they say there is some parsing field issue for forwarding these logs by the approach which we are looking forward.

Someone has mentioned about CIM data modelling, this is the new concept for me today.

As per my quick reading I found this is used to help Splunk to understand and identify logs with its fields.

But just this needs to know where this CIm modelling will be used ahead, I mean in UF or HF/indexer or both???

And how reliable it is ?? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2020 01:44 AM

Hi @hectorvp,

to better understand what's CIM read https://en.wikipedia.org/wiki/Common_Information_Model_(computing)

Anyway, CIM is relevat in parsing phase and this phase is done at HF/Indexers level.

Ciao.

Giuseppe

Reply

hectorvp
Communicator
‎10-30-2020 01:47 AM

Thanks a lot @gcusello 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...