Splunk Enterprise Security

MS SQL audit logs with UF to read Windows Application Logs?

ojay
Path Finder

Hi all,

I am trying to integrate MS SQL audit log data with a UF instead of DB Connect. 

What is the best and recommended way to do it that maps all fields? 

At the moment it is integrated with the UF and using the "Splunk Add-on for Microsoft SQL Server"

With that the MS SQL events can be identified by SourceName=MSSQLSERVER or SourceName=MSSQL*

However it does not work properly work as most of the fields are not extracted and mapped. For example the user is also not translated User= NOT_TRANSLATED

Labels (3)
0 Karma

ojay
Path Finder

Hi,

thank you for your feedback. 

The add-on is installed on indexer, searchheads and universal forwarder. However fields like below are not beeing mapped

 

00/00/0000 00:00:00 PM
LogName=Application
EventCode=33205
EventType=0
ComputerName=
SourceName=MSSQLSERVER
Type=Information
RecordNumber=123456
Keywords=Audit Failure, Classic
TaskCategory=Logon
OpCode=None
Message=Audit event: audit_schema_version:1
event_time:2023-00-00 00:00:00.000000
sequence_number:1
action_id:LGIF
succeeded:false
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:LX
permission_bitmask:00000000000000000000000000000000
sequence_group_id:
session_server_principal_name:
server_principal_name:
server_principal_sid:
database_principal_name:
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:XXXXXXXXXX
database_name:
schema_name:
object_name:
statement:
additional_information:
user_defined_information:

 

Should all fields not be extracted, as the add-on has these field extractions. Or does it only work with dbconnect?

Hopefully somebody can support and advise before I start working on a customized solution which I am trying to avoid.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the add-on is installed on your indexers and search heads as well as on the UF.  The UF fetches the data, but it is the indexers and SHs that do field extractions so the add-on needs to be installed there, too.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...