I am working on Graylog being used as a SIEM platform. I am almost done with Windows, linux, CISCO Routers, Fortinet Firewalls & CheckPoint Firewalls.
However my main concern is ingesting logs from database servers or logs which are stored in Databases For example McAfee EPO logs which are stored in database or SQL server logs can it be ingested in Graylog?
Has anyone ever done this use-case?
You can set up SQL auditing to write to the application or security log. Nxlog can then pick them up. In the other post, the person had trouble writing to the security log. The issue was probably due to permissions problems. See https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-2017 and https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/write-sql-server-audit-events-to-the-security-log?view=sql-server-2017.
Writing to the application and security logs is actually pretty easy. The hardest problem I have is trying to extract the information out of the full_message field. For example, I want to create a new field to store the SQL query. I tried grok patterns and normal expressions, but am still struggling. This is not my forte.
Here is the full_message I want to separate into separate fields.
statement:SELECT LastName FROM Clients
I tried setting up nxlog for reading logs from a SQL table, but in the end ended up setting up logstash with jdbc input plugin and gelf output plugin. Works fine.
Thanks for the ideas folks!!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.