I have received logs from SQL Windows database, database level only:
SPLUNK received failed login logs a the following:
Login failed for user 'DZIT\trendmicrosrv'. Reason: Failed to open the explicitly specified database 'dsm'. [CLIENT: 10.0.20.135]
That is good.
But when you select action=success appear the following logs:
2019-01-30 11:55:29.803, event_time="2019-01-30 11:55:29.8035450", sequence_number="1", action_id="LGIS", succeeded="1", is_column_permission="0", session_id="89", server_principal_id="276", database_principal_id="0", target_server_principal_id="0", target_database_principal_id="0", object_id="0", class_type="LX", session_server_principal_name="DZIT\EPM_SP_Farm", server_principal_name="DZIT\EPM_SP_Farm", server_instance_name="TSTEPMSQL1", statement="-- network protocol: TCP/IP
set quoted_identifier on
set arithabort off
set numeric_roundabort off
set ansi_warnings on
set ansi_padding on
set ansi_nulls on
set concat_null_yields_null on
set cursor_close_on_commit off
set implicit_transactions off
set language us_english
set dateformat mdy
set datefirst 7
set transaction isolation level read committed
", additional_information="10x280000200x0001f4380x00000000800010.0.20.1180", file_name="D:\SQLAudit\MSSQL_Server_Audit_E248BC47-025B-474D-A5DE-BA9B35F9688A_0_131933227882110000.sqlaudit", audit_file_offset="1807360", user_defined_event_id="0", audit_schema_version="1", transaction_id="0"
These logs is not clear, why this logs appear in this way I need to be clear such as Login successfully ....etc
I know this case not at the splunk team but at SQL team but I need your support in that.
Thank you;
... View more