Security

How getting login/logout accesses from a MS-Sql server stardard Ed. in Splunk?

skender27
Contributor

Hi,

What is the smartest way to collect the login/logout accesses from a ms sql server without using the add-on or the dbconnect app?
The version of ms-sql is s 64bit standard edition (in fact, I found out auditing is not available in this edition).
I was thinking of putting a inputs.sonf in a Splunk fw and then deploy the app to ms sql servers, but I am nit sure about the stanzas to define there...

Thanks for any suggestion,
Skender

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

View solution in original post

TheMonitor
New Member

Hi All

absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27 
I have enabled the Logging in SSMS and can actually see the Events from the SA login.  My inputs.conf looks as follows

[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
index = "my index"

The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated?

cheers

Oli

0 Karma

gcusello
SplunkTrust
SplunkTrust

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

skender27
Contributor

Hi Giuseppe,

You are right, but some versions of MS-SQL servers sent logs with EventCodes to the Windows:Application channel and not Windows:Security (the codes I verified were: 18453, 18454 , 18456).

Anyway, your suggestion was correct!

Thanks,
Skender

0 Karma

skender27
Contributor

Ok, I cannot try this right now, but I just put into the inputs.conf (deployed via FW app):

[WinEventLog://Security]
start_from = oldest
checkpointInterval = 5
disabled = 0
index = my_ms_sql
whitelist = 24001-24003

Should it be fine?
Skender

0 Karma

skender27
Contributor

Hi Giuseppe,

I have had no chance to test it yet, but I will let you know as soon as possible.
Thanks for the Event Codes!

Skender

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...