How should we handle SQL Server audit data that reaches the wineventlog index?


For SQL Server audit information, we ended up sending the data to the wineventlog index as application events.

This data - EventCode=33205 should be visible only for the cyber/audit audience. How can we apply a different access to this data or should we route it to a different index? If so, how can we do it?

Labels (1)
Tags (1)
0 Karma

The only way to apply different security to certain data is to put that data in a separate index.
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...