All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I CIM tag SQL server audit logs read by the DB Connect application?

gjanders
SplunkTrust
SplunkTrust
‎09-17-2016 03:10 PM

This is actually a question I already the answer for, I just want to use the question/answer style to ensure it complies to the way this forum is setup.

This is how I achieved the CIM compliance for the SQL server audit logs that were read in via the database using the DB Connect application for Splunk.

Please see the answer for the solution information, hopefully this will be available in a future version of the application.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎09-17-2016 03:13 PM

This is the props.conf I used to achieve CIM compliance:

props.conf
[mssql:audit]
LOOKUP-action = sqlserver_audit_actions_lookup action_id OUTPUT action_name
LOOKUP-classtype = sqlserver_audit_class_type_map_lookup class_type OUTPUT class_type_desc, securable_class_desc
FIELDALIAS-mssqlaudit = object_name AS object server_principal_name AS user source AS dest statement AS query
EVAL-action = if(action_id=="LGFL" OR action_id=="LGIF" OR action_id=="LGIS" OR action_id=="LGO" OR action_id=="LO" OR action_id=="LGSD",if(succeeded==1,"success","failure"),null())
EVAL-status = if(action_id!="LGFL" AND action_id!="LGIF" AND action_id!="LGIS" AND action_id!="LGO" AND action_id!="LO" AND action_id!="LGSD",if(succeeded==1,"success","failure"),null())

transforms.conf
[sqlserver_audit_actions_lookup]
filename = dm_audit_actions.csv

[sqlserver_audit_class_type_map_lookup]
filename = dm_audit_class_type_map.csv

These files consist of :
select class_type,class_type_desc,securable_class_desc from sys.dm_audit_class_type_map
and
select DISTINCT action_id,name from sys.dm_audit_actions

Note that I renamed the “name” column to action_name in the lookup file! I then dumped the results of the queries and the headers into the lookup file named mentioned in the transforms.conf files. This was to reduce the amount of data sent in by the SQL queries...

eventtypes.conf
[mssql_audit_log_auth]
search = sourcetype=mssql:audit action_id=="LGFL" OR action_id=="LGIF" OR action_id=="LGIS" OR action_id=="LGO" OR action_id=="LO" OR action_id=="LGSD"

[mssql_audit_log_change]
search = sourcetype=mssql:audit action_id!="LGFL" AND action_id!="LGIF" AND action_id!="LGIS" AND action_id!="LGO" AND action_id!="LO" AND action_id!="LGSD"

tags.conf
[eventtype=mssql_audit_log_auth]
authentication = enabled

[eventtype=mssql_audit_log_change]
change = enabled

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution

shadfa_splunk
Splunk Employee
Splunk Employee
‎09-17-2020 03:21 AM

Hi @gjanders,

We have started development for the upcoming release of MS SQL and part of this we are planning to include this request as well.

In order to verify the approach suggested and implement mapping for the same in add-on, we need sample events with the mentioned action_id. Can you please share the sample events for the above action_id mentioned? 

Thanks

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎09-17-2020 01:28 PM

Unfortunately I've since moved employers and don't have the logs handy anymore

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎09-18-2016 09:00 AM

Hi, it's not entirely clear to me what's going on here... Bug, story, or other?

Are you saying that the Splunk Add-on for Microsoft SQL Server didn't gather and tag the data from the audit log files per its intention at http://docs.splunk.com/Documentation/AddOns/released/MSSQLServer/Datatypes ?

Or are you providing an alternate approach to tag the audit data? Did you change the SQL statement? I've seen a lot of MS-SQL administrators provide a custom view of audit information instead of allowing direct audit log access, is that what you're dealing with?

What version of Microsoft SQL Server are we talking about?

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎09-18-2016 02:57 PM

The add on does not tag audit logs as per it's intention. Ingestion of the log themselves is relatively easy, however the props.conf, eventtypes.conf and tags.conf entries are non-existent for the audit data sourcetype!

The transforms.conf are optional, you can obtain the same information by using an inner join on the SQL query on MS SQL Server (which is a change to what the application provides) however a lookup makes more sense as you do not need to index a repetitive field.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎09-17-2016 03:13 PM

This is the props.conf I used to achieve CIM compliance:

props.conf
[mssql:audit]
LOOKUP-action = sqlserver_audit_actions_lookup action_id OUTPUT action_name
LOOKUP-classtype = sqlserver_audit_class_type_map_lookup class_type OUTPUT class_type_desc, securable_class_desc
FIELDALIAS-mssqlaudit = object_name AS object server_principal_name AS user source AS dest statement AS query
EVAL-action = if(action_id=="LGFL" OR action_id=="LGIF" OR action_id=="LGIS" OR action_id=="LGO" OR action_id=="LO" OR action_id=="LGSD",if(succeeded==1,"success","failure"),null())
EVAL-status = if(action_id!="LGFL" AND action_id!="LGIF" AND action_id!="LGIS" AND action_id!="LGO" AND action_id!="LO" AND action_id!="LGSD",if(succeeded==1,"success","failure"),null())

transforms.conf
[sqlserver_audit_actions_lookup]
filename = dm_audit_actions.csv

[sqlserver_audit_class_type_map_lookup]
filename = dm_audit_class_type_map.csv

These files consist of :
select class_type,class_type_desc,securable_class_desc from sys.dm_audit_class_type_map
and
select DISTINCT action_id,name from sys.dm_audit_actions

Note that I renamed the “name” column to action_name in the lookup file! I then dumped the results of the queries and the headers into the lookup file named mentioned in the transforms.conf files. This was to reduce the amount of data sent in by the SQL queries...

eventtypes.conf
[mssql_audit_log_auth]
search = sourcetype=mssql:audit action_id=="LGFL" OR action_id=="LGIF" OR action_id=="LGIS" OR action_id=="LGO" OR action_id=="LO" OR action_id=="LGSD"

[mssql_audit_log_change]
search = sourcetype=mssql:audit action_id!="LGFL" AND action_id!="LGIF" AND action_id!="LGIS" AND action_id!="LGO" AND action_id!="LO" AND action_id!="LGSD"

tags.conf
[eventtype=mssql_audit_log_auth]
authentication = enabled

[eventtype=mssql_audit_log_change]
change = enabled

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...