I am trying to integrate MS SQL audit log data with a UF instead of DB Connect.
What is the best and recommended way to do it that maps all fields?
At the moment it is integrated with the UF and using the "Splunk Add-on for Microsoft SQL Server"
With that the MS SQL events can be identified by SourceName=MSSQLSERVER or SourceName=MSSQL*
However it does not work properly work as most of the fields are not extracted and mapped. For example the user is also not translated User= NOT_TRANSLATED
thank you for your feedback.
The add-on is installed on indexer, searchheads and universal forwarder. However fields like below are not beeing mapped
00/00/0000 00:00:00 PM LogName=Application EventCode=33205 EventType=0 ComputerName= SourceName=MSSQLSERVER Type=Information RecordNumber=123456 Keywords=Audit Failure, Classic TaskCategory=Logon OpCode=None Message=Audit event: audit_schema_version:1 event_time:2023-00-00 00:00:00.000000 sequence_number:1 action_id:LGIF succeeded:false is_column_permission:false session_id:0 server_principal_id:0 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX permission_bitmask:00000000000000000000000000000000 sequence_group_id: session_server_principal_name: server_principal_name: server_principal_sid: database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:XXXXXXXXXX database_name: schema_name: object_name: statement: additional_information: user_defined_information:
Should all fields not be extracted, as the add-on has these field extractions. Or does it only work with dbconnect?
Hopefully somebody can support and advise before I start working on a customized solution which I am trying to avoid.
Make sure the add-on is installed on your indexers and search heads as well as on the UF. The UF fetches the data, but it is the indexers and SHs that do field extractions so the add-on needs to be installed there, too.