Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How getting login/logout accesses from a MS-Sql s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
What is the smartest way to collect the login/logout accesses from a ms sql server without using the add-on or the dbconnect app?
The version of ms-sql is s 64bit standard edition (in fact, I found out auditing is not available in this edition).
I was thinking of putting a inputs.sonf in a Splunk fw and then deploy the app to ms sql servers, but I am nit sure about the stanzas to define there...
Thanks for any suggestion,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27
I have enabled the Logging in SSMS and can actually see the Events from the SA login. My inputs.conf looks as follows
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
index = "my index"
The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated?
cheers
Oli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
You are right, but some versions of MS-SQL servers sent logs with EventCodes to the Windows:Application channel and not Windows:Security (the codes I verified were: 18453, 18454 , 18456).
Anyway, your suggestion was correct!
Thanks,
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I cannot try this right now, but I just put into the inputs.conf (deployed via FW app):
[WinEventLog://Security]
start_from = oldest
checkpointInterval = 5
disabled = 0
index = my_ms_sql
whitelist = 24001-24003
Should it be fine?
Skender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
I have had no chance to test it yet, but I will let you know as soon as possible.
Thanks for the Event Codes!
Skender
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
