Hi,
I am new to Splunk, recently i installed Splunk server on one of the linux machine and it's working fine.
1) I want to monitor Micorsoft sql and oracle database (Users activity, running query, create database, tables etc.)
2) How to add remote machine data, log in to splunk server (Forwarder already installed on client machine)
Please help me to solved the issues.
Thanks in advance.
Regards,
Catch_mili
For Microsoft SQL, create an Audit Policy on your SQL Server and configure it to write to the Application or Security Windows Event Log. The logs will appear (eventually) as event code 33005 in the windows event log. Once you have that going, install the Splunk Universal Forwarder on the host and set it up to monitor the WinEventLog:Application and WinEventLog:Security - you can do this simply by installing the Splunk_TA_windows available from http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on
Audit in Oracle is a little harder, but still relatively simple. Set up the audit to write to an XML file or the OS, in which case (on Windows) it writes to the WinEventLog:Security. You can read about it here: http://www.oracle-base.com/articles/10g/auditing-10gr2.php
To the second part of your question, assuming you have installed the Universal Forwarder, you need to configure an outputs.conf to redirect the logs to your Linux indexer. Set up a receiver on your Linux indexer (see http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Enableareceiver ), ensuring that any host-based firewall (e.g. iptables) is also configured appropriately so you can listen on the TCP port. Then set up outputs.conf (See http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd ) to send the logs over to your indexer.
Hi ahall_splunk,
Thanks for reply.
catch_mili
1) Correct - in order to get what a user is running, you need to create an audit log.
2) The audit log is produced via Windows Event Log in the case of SQL Server, so a log "file" is not produced - the .evtx files are controlled through the normal Windows Event Log process.
@ahall_splunk thanks for your reply. But, I want few queries
1) There is need to create an audit policy ? without that there is any other way?
2) If my database doesn't provide logs (for security purpose we disabled logs from oracle as well as Microsoft SQL database), still we can monitor that databases using splunk???
Regards,
catch_mili