SIEM use case for Databases logs


(Blason) #1

Hi Team,

I am working on Graylog being used as a SIEM platform. I am almost done with Windows, linux, CISCO Routers, Fortinet Firewalls & CheckPoint Firewalls.

However my main concern is ingesting logs from database servers or logs which are stored in Databases For example McAfee EPO logs which are stored in database or SQL server logs can it be ingested in Graylog?

Has anyone ever done this use-case?

TIA
Blason R


(Megan) #2

This might help: MS SQL Server Audit Log, how to integrate with Graylog (the second comment specifically).


(Beth) #3

You can set up SQL auditing to write to the application or security log. Nxlog can then pick them up. In the other post, the person had trouble writing to the security log. The issue was probably due to permissions problems. See https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-2017 and https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/write-sql-server-audit-events-to-the-security-log?view=sql-server-2017.

Writing to the application and security logs is actually pretty easy. The hardest problem I have is trying to extract the information out of the full_message field. For example, I want to create a new field to store the SQL query. I tried grok patterns and normal expressions, but am still struggling. This is not my forte.

Here is the full_message I want to separate into separate fields.

sequence_number:1
action_id:SL
succeeded:true
is_column_permission:true
session_id:58
server_principal_id:259
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:565577053
user_defined_event_id:0
transaction_id:2206596
class_type:U
permission_bitmask:00000000000000000000000000000001
sequence_group_id:1A13BF3F-7514-44B3-933E-1FDEC99A257F
session_server_principal_name:DOMAIN\username
server_principal_name:DOMAIN\username
server_principal_sid:010500000000000515000000ab2be9904788dc8456b5cd204d1c0700
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:YOURINSTANCE
database_name:yourdb
schema_name:dbo
object_name:Clients
statement:SELECT LastName FROM Clients
additional_information:
user_defined_information:
.

Beth


#4

I tried setting up nxlog for reading logs from a SQL table, but in the end ended up setting up logstash with jdbc input plugin and gelf output plugin. Works fine.


(Blason) #5

Thanks for the ideas folks!!


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.