Blog | Newsletter | Download | Contact

LOGbinder Blog

Updates, Tips and News   RSS Feed  
Search
Categories
Recent Blogs
Archive

«  Need help configuring SQL... | Release of LOGbinder SP 2... »

LOGbinder SQL Beta is released! Join beta testers now

Tue, 01 Nov 2011 17:05:52 GMT

From the folks that help you audit SharePoint comes a new solution to help you audit SQL server.

Introducing LOGbinder SQL

SQL Server 2008 introduced a totally new audit logging facility, which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment. SQL Server Audit is flexible in terms of audit policy and comprehensive in relation to the breadth and depth of objects and actions that can be audited. However, the audit data generated by SQL Server needs additional refinement and processing before it can be relied up on as a usable audit trail and be managed by your existing log management/SIEM solution.

The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to giving a user ownership rights to a database. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events.

Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log events. Similar to LOGbinder SP, these events can be outputted to the Security log a custom Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze. Here is an example of an event:

Raw Audit Event from SQL Server

event_time:2010-09-16 12:35:30.0787755
sequence_number:1
action_id:APRL
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:54
server_principal_id:260
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:7
class_type:RL
session_server_principal_name: ACMESP\Administrator
server_principal_name: ACMESP\Administrator
server_principal_sid:0
database_principal_name: dbo
target_server_principal_name: ACMESP\Administrator
target_server_principal_sid: 0
target_database_principal_name: public
server_instance_name: SPDEV\SQL08ENT
database_name: AuditTest
schema_name:
object_name: MyAudit
statement: EXEC sp_addrolemember N'MyAudit', N'public'
additional_information:
file_name=c:\sql audits\AuditAll_12633920-
FB34-4FAA-8F96-E9F8FED158A9_0_ 129276798828120000.sqlaudit
audit_file_offset=1536

Same Event After LOGbinder SQL Processing

Event ID: 24020
Add member to database role succeeded
A principal was successfully added to a database role
Action Group: DATABASE_ROLE_MEMBER_CHANGE_GROUP
Occurred: 9/16/2010 12:35:30.0000000 PM
Session ID: 54
User: ACMESP\administrator
Server: SPDEV\SQL08ENT
Database: AuditTest
Member
Name: public
Domain name: n/a
Role
ID: 7
Name: MyAudit
Statement: EXEC sp_addrolemember N'MyAudit', N'public'

*Learn more about LOGbinder SQL and download the beta today! Click Here.

email this digg reddit
comments (0) references (0)
Related:
SuperCharger for Windows Event Forwarding and LOGbinder updates
Syslog TCP survey and the Public Beta Program
November 2014 LOGbinder Newsletter: Windows Event Collection and your SIEM; 2 Tech Tips for security analysts
Today we revolutionize using Windows Event Collection at scale

Comments disabled

powered by Bloget™
Login | Terms of Use | Privacy
LOGbinder is a division of Monterey Technology Group, Inc. ©2006-2024 All rights reserved.
For complaints please contact abuse@logbinder.com.