All Apps and Add-ons

Splunk Microsoft sql and Oracle database application configuration

catch_mili
Explorer

Hi,
I am new to Splunk, recently i installed Splunk server on one of the linux machine and it's working fine.
1) I want to monitor Micorsoft sql and oracle database (Users activity, running query, create database, tables etc.)
2) How to add remote machine data, log in to splunk server (Forwarder already installed on client machine)

Please help me to solved the issues.

Thanks in advance.

Regards,
Catch_mili

Tags (1)
0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

For Microsoft SQL, create an Audit Policy on your SQL Server and configure it to write to the Application or Security Windows Event Log. The logs will appear (eventually) as event code 33005 in the windows event log. Once you have that going, install the Splunk Universal Forwarder on the host and set it up to monitor the WinEventLog:Application and WinEventLog:Security - you can do this simply by installing the Splunk_TA_windows available from http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on

Audit in Oracle is a little harder, but still relatively simple. Set up the audit to write to an XML file or the OS, in which case (on Windows) it writes to the WinEventLog:Security. You can read about it here: http://www.oracle-base.com/articles/10g/auditing-10gr2.php

To the second part of your question, assuming you have installed the Universal Forwarder, you need to configure an outputs.conf to redirect the logs to your Linux indexer. Set up a receiver on your Linux indexer (see http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Enableareceiver ), ensuring that any host-based firewall (e.g. iptables) is also configured appropriately so you can listen on the TCP port. Then set up outputs.conf (See http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd ) to send the logs over to your indexer.

catch_mili
Explorer

Hi ahall_splunk,
Thanks for reply.

catch_mili

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

1) Correct - in order to get what a user is running, you need to create an audit log.
2) The audit log is produced via Windows Event Log in the case of SQL Server, so a log "file" is not produced - the .evtx files are controlled through the normal Windows Event Log process.

0 Karma

catch_mili
Explorer

@ahall_splunk thanks for your reply. But, I want few queries
1) There is need to create an audit policy ? without that there is any other way?
2) If my database doesn't provide logs (for security purpose we disabled logs from oracle as well as Microsoft SQL database), still we can monitor that databases using splunk???

Regards,
catch_mili

0 Karma
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...