Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How getting login/logout accesses from a MS-Sql server stardard Ed. in Splunk?

skender27
Contributor
‎10-11-2016 02:44 AM

Hi,

What is the smartest way to collect the login/logout accesses from a ms sql server without using the add-on or the dbconnect app?
The version of ms-sql is s 64bit standard edition (in fact, I found out auditing is not available in this edition).
I was thinking of putting a inputs.sonf in a Splunk fw and then deploy the app to ms sql servers, but I am nit sure about the stanzas to define there...

Thanks for any suggestion,
Skender

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2016 04:40 AM

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

TheMonitor
New Member
‎10-04-2023 07:01 AM

Hi All

absolute SPLUNK N00b here so very sorry to resurrect an old thread but did anyone figure this one out? Currently asking myself the same question as @skender27 
I have enabled the Logging in SSMS and can actually see the Events from the SA login.  My inputs.conf looks as follows

[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
index = "my index"

The problem is I see none of the corresponding event IDs for the SA User logins in Splunk (18453, 18454 , 18456). Any ideas or tips would be much appreciated?

cheers

Oli

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2016 04:40 AM

I haven't a Standard Edition to test it, but it seems to me that also SE sends logs to Win Event Log Security.
So Event Codes are:
24001 login succeeded
24002 logout succeeded
24003 login failed
Bye.
Giuseppe

Reply
Solved! Jump to solution

skender27
Contributor
‎10-13-2016 03:12 AM

Hi Giuseppe,

You are right, but some versions of MS-SQL servers sent logs with EventCodes to the Windows:Application channel and not Windows:Security (the codes I verified were: 18453, 18454 , 18456).

Anyway, your suggestion was correct!

Thanks,
Skender

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎10-11-2016 05:57 AM

Ok, I cannot try this right now, but I just put into the inputs.conf (deployed via FW app):

[WinEventLog://Security]
start_from = oldest
checkpointInterval = 5
disabled = 0
index = my_ms_sql
whitelist = 24001-24003

Should it be fine?
Skender

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎10-11-2016 05:34 AM

Hi Giuseppe,

I have had no chance to test it yet, but I will let you know as soon as possible.
Thanks for the Event Codes!

Skender

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...