LOGbinder SQL
What Can SQL Server Auditing Provide?
SQL Server 2008 introduced a
totally new audit logging facility which is critical
to enterprises storing sensitive information and/or processing important transactions
in today’s demanding compliance environment.
SQL Server Audit is flexible in terms of audit policy and comprehensive in relation
to the breadth and depth of objects and actions that can be audited. However, the
audit data generated by SQL Server needs additional refinement and processing before
it can be relied upon as a usable audit trail and managed by your existing log
management/SIEM solution.
LOGbinder SQL Bridges the Gap between SQL Server and Your SIEM
The audit records generated by SQL Server audit are cryptic and difficult to understand.
Basically, one log record format is used for documenting everything from an insertion
on a table to a modification of a stored procedure. And while SQL Server can write
events to the security log or Syslog, it uses the same event ID for all events, and the IDs
and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit
model in order to decipher events.
Frees SQL audit logs from their proprietary format
The preferred and highest performance option for audit log output results in a proprietary
file format that cannot be parsed by log management/SIEM solutions using typical
text log file-based parsing engines.
Our LOGbinder SQL collector, processes the proprietary formatted
SQL Server audit log and enriches SQL Server’s cryptic and generic audit messages
to produce an easy-to-understand audit log event which then outputs to the Windows
event log, where any log management or SIEM solution can collect, alert, report, and
analyze.
Enriches SQL audit logs without impacting SQL Server performance
LOGbinder SQL can be installed either on the SQL server itself or, to eliminate any
impact on business database functions, you can deploy a separate server with the
LOGbinder SQL collector, processing audit logs from multiple SQL Servers via share folders.
Raw Audit Event from SQL Server
event_time:2010-09-16 12:35:30.0787755
sequence_number:1
action_id:APRL
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:54
server_principal_id:260
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:7
class_type:RL
session_server_principal_name: ACMESP\Administrator
server_principal_name: ACMESP\Administrator
server_principal_sid:0
database_principal_name: dbo
target_server_principal_name: ACMESP\Administrator
target_server_principal_sid: 0
target_database_principal_name: public
server_instance_name: SPDEV\SQL08ENT
database_name: AuditTest
schema_name:
object_name: MyAudit
statement: EXEC sp_addrolemember N'MyAudit', N'public'
additional_information:
file_name=c:\sql audits\AuditAll_12633920-
FB34-4FAA-8F96-E9F8FED158A9_0_ 129276798828120000.sqlaudit
audit_file_offset=1536
Same Event After LOGbinder SQL Processing
Event ID: 24020
Add member to database role succeeded
A principal was successfully added to a database role
Action Group: DATABASE_ROLE_MEMBER_CHANGE_GROUP
Occurred: 9/16/2010 12:35:30.0000000 PM
Session ID: 54
User: ACMESP\administrator
Server: SPDEV\SQL08ENT
Database: AuditTest
Member
Name: public
Domain name: n/a
Role
ID: 7
Name: MyAudit
Statement: EXEC sp_addrolemember N'MyAudit', N'public'
For more information, see http://logbinder.com/support
vs.
Connects SQL Audit to Your SIEM
LOGbinder SQL fills a critical gap between enterprise database servers and audit
log management solutions, allowing you to obtain a clearly-written and easy-to-understand
audit log that is accessible to your existing log management solution. Similar
to our efforts with LOGbinder SP, we are working with log management and SIEM
solution providers to build recommended alerts and reports into their systems
for SQL server audit logs processed by LOGbinder SQL.
Download LOGbinder SQL Now!
Click here.
Or if you want further information
on this new solution, please
contact sales.