cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 9

SIEM Integration with MS SQL?

Hi,

Our client has SIEM (Nitro/McAfee) and wants to pull the data directly from our MS SQL server database. We have few tables where different values are collected and combining these tables gives some useful information that should be forwarded to the SIEM. Here are my question:

1. Can SIEM actually pull the data from MS SQL database table directly by using some custom query, or maybe run some store procedure? How it actually works when we want to pull the date periodically?

2. Can SIEM pull the data form MS SQL server database using agent or without it?

Thanks.

8 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 9

Re: SIEM Integration with MS SQL?

HI,

I had done with the normal SQL logs pull, for the specific logs to be fetched from the DB if haven't, as of my knowledge i believe you have to install McAfee sql plugin were you have to write the query to fetch this logs are send it to receive, and at the receive end you have to write an costume parser.

Hope this would help you..

-Sai

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 9

Re: SIEM Integration with MS SQL?

Hi

We do this to a few of our custom MS SQL databases. The easiest way we have managed to get this working is to use the SIEM Agent on the server and then create the relevent XML file with the table mappings and the data we want to pull from the DB.

It works very well and we have had great success with this

Mike

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 9

Re: SIEM Integration with MS SQL?

Hi Mike,

Can you please tell me how you've configured the Agent to send the logs (via Syslog or MEF)?

I've installed the Windows collector on a test DB server, I've made the XML config with tables mappings, select from there the Syslog method and then I've added the host in the SIEM collector :

In the Receiver configuration, I've added a Data Source, type ASP with log "unknown syslog" event selected:

I'm not receiving any events from this source. I've did a tcpdump on the ESM/Receiver and from my IP (x.x.23.21) and I'm seeing some packets but on 8081 port (MEF) not on 514 Syslog as expected.

I'm missing something?

P.S. in the collector's debug logs I can see only this line every time I restart the service:

"<131>1 May 4 14:32:46 localhost AgentLogger: ERROR 0 AgentLogger DeInitializing LPC"

Update:

I can see in the debug logs, that the agent is trying to connect to the receiver, and after several tries is gives an error message:

<132>1 May 4 15:44:05 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

<132>1 May 4 15:44:15 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

<132>1 May 4 15:44:26 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

<132>1 May 4 15:44:36 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

<132>1 May 4 15:44:47 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

<131>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: ERROR 1 Start Failed to process events; receiver communication timeout reached, sleeping for 2 minutes; Pausing plugin.

<135>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: DEBUG 1 End connection: 1

<135>1 May 4 15:44:47 localhost McAfeeEventCollector: DEBUG 0 ReleaseConnection Releasing connection: 1

<135>1 May 4 15:44:47 localhost McAfeeEventCollector: DEBUG 0 ReleaseConnection Active: 0

<134>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: INFO 1 _pausePlugin Plugin pausing

Thanks,

Ovidiu

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 9

Re: SIEM Integration with MS SQL?

In ESM you would configure the Data Source Retrieval method to MEF.  Make sure the "Use encryption" settings are the same on the ESM Data Source and on the Windows SIEM Agent.

This is what I use and it all works perfectly well for me.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 9

Re: SIEM Integration with MS SQL?

Hi,

I've configured the Retrieval method MEF, and then tried with and without encryption, but still no events to ESM.

Now from the debug logs on the collector I see that the logs are sent now, so something is not OK with the Data Source config on the Receiver..

"

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 _write Received channel id: 1 for host: sql

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Successfully transmitted 1 event(s).

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Successfully transmitted 2 event(s).

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 PopulateSyslogEvent No Records to process

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Transmitted 2 event(s).

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 End connection: 1

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 ReleaseConnection Releasing connection: 1

<135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 ReleaseConnection Active: 0

<134>1 May 5 08:34:06 sql McAfeeEventCollector: INFO 1 _pausePlugin Plugin pausing

"

                    

Thanks,

Ovidiu

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 9

Re: SIEM Integration with MS SQL?

HI,

about the solution of Mike (poezie)  how should configure the data source on Siem and the configure of ms sql has been?

data source ms sql.png

In the event that a ms sql server has multiple instances on the same ip must be entered each instance like a data source?

I didn't find a solution on documentation of McAfee

Thank you

Luca

Re: SIEM Integration with MS SQL?

Hello Poezie,

could you please let me know which tool you had used to create the XML file and how bookmark condition was used in it to fetch the incremental logs at every iteration of McAfee SIEM collector polling to custom MSSQL database ?

It would be great if you guide me through this. Thanks in advance.

Regards,

Rajan Naik

srdagala
Level 7
Report Inappropriate Content
Message 9 of 9

Re: SIEM Integration with MS SQL?

Hi,

I am new to SQL Server and dB integration tasks.

at my client, there is an dedicated SQL Server connecting to db instances running  on different servers.

I need your help, in knowning the pre-requsiites to arrangee, type of agents to intall at sQL Server, integrate both sQL server and db instantes with SIEM.

Pls. advice me with detailed steps, and type of events to be monitored at db and sQL end?

IWill there be any performance issues at SQL and db working, post itegration with SIEM ?

Highly appreciate your help, pls feedback soon you can

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community