sql server audit .trc pipe to Arcsight

  • Hi All,
    just inherited a system where Arcsight is involved. Anybody have any experience to help me to understand what is going between Sql Server and Arcsight?
    - is there anything that needs to be done on the Sql Server end? Do i need to enabled audits using the Sql Server audit features? And writes it to either a security logs or a application logs ? I assume this are the windows event logs.

    - what is involve to config Arcsight to collect and filter these logs for a readable reports?

    Do further advice.

  • If you've configured successful or failed logins monitoring for the SQL Server, the information will be written in the SQL Server logs as well as the OS' Application event log. There are specific event IDs for those login attempts. Arcsight can pick up on those.

    What else do you need to audit and get into the SIEM?

    K. Brian Kelley
    @kbriankelley

  • K. Brian Kelley - Friday, January 20, 2017 7:35 AM

    If you've configured successful or failed logins monitoring for the SQL Server, the information will be written in the SQL Server logs as well as the OS' Application event log. There are specific event IDs for those login attempts. Arcsight can pick up on those.

    What else do you need to audit and get into the SIEM?

    from what i see, there is some store procedures created in the instances that also capture activities like DDL and auditing the higher privg like with sysadmin.
    So those are not written to the OS application logs? And need to be config in Arcsight? is SIEM Arcsight? I need to understand what is happening inbetween sql server and arcsight. 

    So i need to tell Arcsight to collect those extra DDL auditing trc and then config some sort of filter in arcsight and then generate report?

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply