Hello @tscroggins 

Thank you for your follow up. However, I am not sure that we can apply this solution to our environment since our Server C (the one with the universal forwarder) is not a Windows server . The other servers (type A and B) are not connected to any external networks.

After some internal discussions, a new idea was proposed and I am not sure if it could work, @tscroggins , @isoutamo , @scelikok I appreciate if you share your feed backs about it.

The idea is to deploy a heavy forwarder on server B and a Universal forwarder on server C (the one connected to Splunk cloud)

1. Servers A (DB server): Our databases generate SQLAudit files (and probably some Oracle DB audit files from similar servers). No external connections are allowed to these category of servers.
2. Server B (Relay): This is the only server that can establish communications with the DB servers (category A). On this server, we can install a havy forwarder + DB connect to collect MSsql audit logs ( and Oracle audit logs from oracle servers). Please note that there are no external connections to this server and it cannot directly forwarder to Splunk Cloud.
3. Server C (Universal Forwarder): The only one with allowed external connections. Havy forwarder on server B sends the collected logs to the universal forwarder on server C.  The Universal forwarder then uploads the SQLAudit files and oracle audit files to the Splunk Cloud instance.
    

    

   Do you think that this is a feasable set up ? 

   Best regards,

Also, yes, your proposal to install Splunk Enterprise on Server B and Splunk Universal Forwarder on Server C will allow you to run queries against Server A, assuming you have connectivity and a database account with appropriate access, and forward the evens to Server C and downstream to Splunk Cloud.

Note, however, that sys.fn_get_audit_file does not scale. If you query .sqlaudit files through this function, your SQL Server administrator should store only the .sqlaudit files necessary to allow Splunk to execute queries and index events in a timely manner. I.e. Rotation and retention of live .sqlaudit files should be configured with Splunk and fn_get_audit_file performance in mind. You'll need to test performance in your environment to understand its constraints.

Thank you @tscroggins 

This should work on Linux:

Install PowerShell Core.

As the Splunk Universal Forwarder user--splunk or splunkfwd--install the SqlServer module as before:

$ /bin/pwsh
PS> Install-Module SqlServer

If Splunk Universal Forwarder runs as root, install the SqlServer module as root.

Copy Stream-SqlAudit.ps1 to an appropriate directory, e.g. $SPLUNK_HOME/bin/scripts. Note the addition of the interpreter directive on the first line.

#!/bin/pwsh
$file = New-TemporaryFile
$output = $file.Open([System.IO.FileMode]::Append, [System.IO.FileAccess]::Write)
$stdin = [System.Console]::OpenStandardInput()
$stdout = [System.Console]::Out
$buffer = New-Object byte[] 16384
[int]$bytes = 0

while (($bytes = $stdin.Read($buffer, 0, $buffer.Length)) -gt 0) {
    $output.Write($buffer, 0, $bytes)
}

$output.Flush()
$output.Close()

Read-SqlXEvent -FileName "$($file.DirectoryName)\$($file.Name)" | %{
    $event = $_.Timestamp.UtcDateTime.ToString("o")
    $_.Fields | %{
        if ($_.Key -eq "permission_bitmask") {
            $event += " permission_bitmask=`"0x$([System.BitConverter]::ToInt64($_.Value, 0).ToString("x16"))`""
        }
        elseif ($_.Key -like "*_sid") {
            $sid = $null
            $event += " $($_.Key)=`""

            try {
                $sid = New-Object System.Security.Principal.SecurityIdentifier($_.Value, 0)
                $event +=  "$($sid.ToString())`""
            }
            catch {
                $event += "`""
            }
        }
        else {
            $event +=  " $($_.Key)=`"$([System.Web.HttpUtility]::JavaScriptStringEncode($_.Value.ToString()))`""
        }
    }

    $stdout.WriteLine($event)
}

$file.Delete()

Make sure the file is executable, e.g.:

$ chmod 0750 $SPLUNK_HOME/bin/scripts/Stream-SqlAudit.ps1

Update props.conf:

[source::....sqlaudit]
unarchive_cmd = $SPLUNK_HOME/bin/scripts/Stream-SqlAudit.ps1
unarchive_cmd_start_mode = direct
sourcetype = preprocess-sqlaudit
NO_BINARY_CHECK = true

[preprocess-sqlaudit]
invalid_cause = archive
is_valid = False
LEARN_MODEL = false

[sqlaudit]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
KV_MODE = auto_escaped

Update inputs.conf:

[monitor:///tmp/*.sqlaudit]
index = main
sourcetype = sqlaudit

/tmp is just an example. Use whatever file system and path makes the most sense for your deployment. The Splunk Universal Forwarder user must have read and execute access to all directories in the path and read access to the .sqlaudit files.

As before, your temporary directory should have enough free space to accommodate your largest .sqlaudit file. Depending on your Splunk configuration, Splunk Universal Forwarder may process multiple files concurrently. If that's the case, ensure you have enough free space for all temporary files.

Finally, let us know how it goes!

The SqlServer module is available for PowerShell Core on various platforms. I can test a solution on Linux x86-64, but I don't have access to a macOS or ARM host. What platform is Server C?

Server C is SUSE 15

Maybe? The prototype is here for anyone to grab. I'd need to find the time and resources for long-term maintenance of an app: development, build and integration, support, etc.

Note that I used System.Web.HttpUtility.JavaScriptStringEncode as a shortcut for encoding/escaping strings. KV_MODE = auto_escaped only handles a few escape sequences. If you prefer, you can simply replace \ and " with \\ and \", respectively, in strings before writing them.

Hi @scelikok 

Thank you for your reply. 

We will test this option and see if works.

Best regards.