All Apps and Add-ons

Splunk Microsoft sql and Oracle database application configuration

catch_mili
Explorer

Hi,
I am new to Splunk, recently i installed Splunk server on one of the linux machine and it's working fine.
1) I want to monitor Micorsoft sql and oracle database (Users activity, running query, create database, tables etc.)
2) How to add remote machine data, log in to splunk server (Forwarder already installed on client machine)

Please help me to solved the issues.

Thanks in advance.

Regards,
Catch_mili

Tags (1)
0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

For Microsoft SQL, create an Audit Policy on your SQL Server and configure it to write to the Application or Security Windows Event Log. The logs will appear (eventually) as event code 33005 in the windows event log. Once you have that going, install the Splunk Universal Forwarder on the host and set it up to monitor the WinEventLog:Application and WinEventLog:Security - you can do this simply by installing the Splunk_TA_windows available from http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on

Audit in Oracle is a little harder, but still relatively simple. Set up the audit to write to an XML file or the OS, in which case (on Windows) it writes to the WinEventLog:Security. You can read about it here: http://www.oracle-base.com/articles/10g/auditing-10gr2.php

To the second part of your question, assuming you have installed the Universal Forwarder, you need to configure an outputs.conf to redirect the logs to your Linux indexer. Set up a receiver on your Linux indexer (see http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Enableareceiver ), ensuring that any host-based firewall (e.g. iptables) is also configured appropriately so you can listen on the TCP port. Then set up outputs.conf (See http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd ) to send the logs over to your indexer.

catch_mili
Explorer

Hi ahall_splunk,
Thanks for reply.

catch_mili

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

1) Correct - in order to get what a user is running, you need to create an audit log.
2) The audit log is produced via Windows Event Log in the case of SQL Server, so a log "file" is not produced - the .evtx files are controlled through the normal Windows Event Log process.

0 Karma

catch_mili
Explorer

@ahall_splunk thanks for your reply. But, I want few queries
1) There is need to create an audit policy ? without that there is any other way?
2) If my database doesn't provide logs (for security purpose we disabled logs from oracle as well as Microsoft SQL database), still we can monitor that databases using splunk???

Regards,
catch_mili

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...