Solved: How getting login/logout accesses from a MS-Sql s...

skender27 · ‎10-11-2016

Hi,

What is the smartest way to collect the login/logout accesses from a ms sql server without using the add-on or the dbconnect app?
The version of ms-sql is s 64bit standard edition (in fact, I found out auditing is not available in this edition).
I was thinking of putting a inputs.sonf in a Splunk fw and then deploy the app to ms sql servers, but I am nit sure about the stanzas to define there...

Thanks for any suggestion,
Skender

gcusello · ‎10-11-2016

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

View solution in original post

gcusello · ‎10-11-2016

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

skender27 · ‎10-13-2016

Hi Giuseppe,

You are right, but some versions of MS-SQL servers sent logs with EventCodes to the Windows:Application channel and not Windows:Security (the codes I verified were: 18453, 18454 , 18456).

Anyway, your suggestion was correct!

Thanks,
Skender

skender27 · ‎10-11-2016

Ok, I cannot try this right now, but I just put into the inputs.conf (deployed via FW app):

[WinEventLog://Security]
start_from = oldest
checkpointInterval = 5
disabled = 0
index = my_ms_sql
whitelist = 24001-24003

Should it be fine?
Skender

skender27 · ‎10-11-2016

Hi Giuseppe,

I have had no chance to test it yet, but I will let you know as soon as possible.
Thanks for the Event Codes!

Skender

How getting login/logout accesses from a MS-Sql server stardard Ed. in Splunk?

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann

Admin Your Splunk Cloud, Your Way