Security

Is there a Splunk alert to identify when a database is copied?

New Member

I want to monitor any database copies that are made. Whether it be a backup or copy to flat file. Can Splunk capture this

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Yes, but it depends on auditing the copy. You have to be able to capture the event from either the filesystem or database perspective, and then index that event in Splunk. Once you do so, you can create an alert that runs a search to find that event, and if it does it will take an action (send an email).

0 Karma

New Member

What I am looking for is a security feature. If we can monitor for unauthorized copies or access.

0 Karma

Champion

What database are we talking about? Assuming an external database on some server, the answer is simple: if you can make that database log its accesses to a file or some other output (e.g. syslog) that you can monitor with splunk, then you can definitely do that. The quesion as it is however is too vague to say how exactly.

0 Karma

New Member

SQL database. As it stands, there is no alert for any type of database copy made. From my research and knowledge there are to many variables to just log the "copy" of a database. If what I have been told is correct, someone who knows what they are doing can run a "select" statement and copy the DB without anyone else knowing. If that is true, then would splunk identify that?

0 Karma

Champion

Splunk does not "identify" anything - you use splunk to identify stuff in data. MS Word does not write a letter for you, but you can use it to write and format one.
There are two basic steps you need to do: 1) get the data from the sources to monitor into splunk, 2) in that data, find pieces of evidence or run statistics that indicate a problem or violation.

A primary type of data ingested with splunk is log data. In oder to get you started with point one, you need to enable logging on your SQL database, i.e. make it write all (attempted) accesses and run queries to log files, and monitor those log files with splunk. You will then be able to search through those logs, and will have to identify what queries are not supposed to be run/which users are not supposed to log on/which IPs are not supposed to contact the server and all that. But bear in mind that everything you want to find out about has to be somewhere in that log data. If the logs only contain info on the queries run and not on who ran them from which ip, then you can not use that data in splunk.

0 Karma