All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft SQL Server: How to create audit object for ALL tables at once, not individually?

hochit
Path Finder
‎05-18-2016 01:50 AM

http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/SQLServerconfiguration

I'm following this guide to create table audit for each table. However, I have a question: What if we have >100 tables. Is there any short hand that can create audit table for ALL tables in one step?

0 Karma
Reply

hochit
Path Finder
‎06-03-2016 11:32 PM

I verified it myself. We can indeed create audit spec on schema insteawd of each table to quickly add auditing on all tables. Defining all actions including select, insert, update, delete are still required.

ALTER DATABASE AUDIT SPECIFICATION MSSQL_Table_Specification  
FOR SERVER AUDIT MSSQL_Table_Audit 
ADD (select ON SCHEMA::dbo BY dbo),
ADD (insert ON SCHEMA::dbo BY dbo),
ADD (update ON SCHEMA::dbo BY dbo),
ADD (delete ON SCHEMA::dbo BY dbo)
WITH (STATE = ON) ;
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-18-2016 09:02 AM

Yes, enable it for the entire database instead:

http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/SQLServerconfiguration#Example_of_c...

Or the entire server:
http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/SQLServerconfiguration#Example_of_c...

These are from the link you posted.

0 Karma
Reply

hochit
Path Finder
‎06-01-2016 12:58 AM

My understanding database/server level audit can only capture actions like login, permission change, etc, but not table access (CRUD). Am I correct?

I wonder in such case we should run a short script retreiving all tables and create audit spec on each of them.

(presudo)
foreach 

CREATE DATABASE AUDIT SPECIFICATION MSSQL_Table_Specification 
FOR SERVER AUDIT MSSQL_Table_Audit 
ADD (UPDATE ON <table> BY <schema> ) WITH (STATE = ON) ;

Is it possible? Thanks

0 Karma
Reply

hochit
Path Finder
‎06-02-2016 08:51 PM

Another hard question from customer, would database audit above impact DB performance?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-03-2016 05:28 AM

Auditing absolutely will impact performance, especially if its a heavily used database/table/etc and then even more so if you're writing audits to a slow disk.

Best Practices
-Write audit logs to a centralized location
-To facilitate processing of the audited data, load the logs into a database
-Use a file as a target for optimal performance
-Use targeted auditing to minimize the collected data and better performance
-When writing to the Windows logs, ensure that the roll-over policy of the Windows Logs, coincides with that of your audit strategy
- See more at: http://www.sqlshack.com/understanding-sql-server-audit/#sthash.71JR77T3.dpuf

As for your previous question, it's best to go to a SQL forum to ask that as I'm not a DBA.

0 Karma
Reply

hochit
Path Finder
‎06-03-2016 11:45 PM

It's chicken and egg problem... With audit logging (and also Splunk), we can have more insight what impact DB performance on the other hand. So probably the impact of introducing audit is a positive trade-off. I hope my customer would understand this.

Thanks, appreicated!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...