6 Replies Latest reply: Mar 24, 2014 10:30 AM by mcafeecolby RSS

    How to configure SQL 2005 & 2008 as a data source

    haroot

      Hello All,

       

      I am trying to configure SQl 2005/2008 with McAfee Receiver as a Data Source.I went through the steps as mentioned under  Help Contents but unfortunately the configuration steps are outdated and not relevant  either to 2005 or to 2008.

       

      My main requirement here to configure the SQL DB's with SIEM (receiver )and to start with I am looking only at the authentication and the admin activity events form both SQl 2005 & 2008.With respect to SQL 2008 I was able to find the configuration on the Microsoft site and after enabling the audting on SQL 2008 (in this case the SQl events are getting logged under Windows Application Logs and the Data Source on the receiver  has been configured as WIndows --> WMI Event log). I started receving the failed login events but I am unable to recieve the Login Success Events from the database even though I can see these events being logged under Windows Application Event Logs.The DB guy  also tried to create and delete a Table to generate certai events but unfortunately even these aren't being shown on the Event Summary Dashboard but I can see the event log being generated under Windows Application Log.I couldnt find anything helpful for SQL 2005 as I have worked ocassionally on the database side.

       

      Has anyone integrated/configured  SQL with McAfee Receiver ?Kinldy share the steps.

       

       

      Haroot

        • 1. Re: How to configure SQL 2005 & 2008 as a data source
          feeeds

          I am struggling with this as well. I have a ticket open with support. Seems they are saying to have SQL push the events into the application log. I am looking at the Windows agent now to see if that will be the solution for SQL and IIS logs.

          • 2. Re: How to configure SQL 2005 & 2008 as a data source
            haroot

            Hi feeds,

             

            The procedure that you have mentioned works well with SQL 2008 where its easy to push the SQL logs but the same procedure doesnt work for SQL 2005. With regards to IIS you can use the Windows agent or  you can configure it using FTP as data retrieval option.

             

            Please keep me posted on the ticket progress as that might be helpful for my scenario as well.

            • 3. Re: How to configure SQL 2005 & 2008 as a data source
              feeeds

              Not having much luck with the Mcafee windows event collector.  The agent is set up and sending (packet capture shows the receiver is getting them), but nothing shows up in ESM.  I have tried several variations of data source properties, but nada.  Not sure if Vendor should be MS or mcafee.  I have a ticket open, but they only respond about every other day.

              • 4. Re: How to configure SQL 2005 & 2008 as a data source
                haroot

                Hi feeeds,

                 

                have you installed the Windows agent on the same machine as your SQL database? If not, then you can try one more combination: Try to create two data sources one for Windows Agent  and the another one for SQL .

                 

                In my opinion vendor should be microsoft for both the cases.

                 

                Haroot

                • 5. Re: How to configure SQL 2005 & 2008 as a data source
                  vishnummv

                  Hi Harrot,

                   

                  This below steps will help you,

                   

                  I have tried this for Microsoft Threat Managment Server as datasource,

                   

                  Findthe below steps to enable the same so that we can get the logs from MicrosoftTMG to McAfee ESM- SIEM.

                   

                  AccessingMicrosoft Forefront TMG's Log Files (SQL Express)

                   

                  Ifyou need to analyse and report on Microsoft Forefront Threat Management Gatewaylog files, the most common stumbling block is enabling access to the defaultSQL Express databases that contains the firewall and web proxy log files. Thelog databases are stored in an SQL Express instance named MSFW

                   

                  EnableTCP access to the MSFW instance

                   

                  Todo this:

                  1. Log into your     Forefront TMG server using administrator credentials.
                  2. Select Start     | All Programs | Microsoft SQL Server 2008 | Configuration Tools | SQL     Server Configuration Manager.
                  3. Expand SQL     Server Network Configuration and select Protocols for     MSFW
                  4. Right-click TCP/IP and     select Enable
                  5. Click OK on     the Warning dialog informing you that “changes will not take effect until     the service is stopped and restarted.”

                   

                  Enabling TCP/IP on the MSFW instance

                   

                  Setthe listening Port on the MSFW instance

                  OnceTCP/IP is enabled on the MSFW instance, you need to set it to listen on port1433

                  1. Select Protocols     for MSFW under SQL Server Network Configuration
                  2. Right-click TCP/IP and     select Properties.
                  3. Click     the IP Addresses tab and scroll to the IPAll section     at the bottom of the list.
                  4. Change the TCP     Port to 1433 and ensure nothing is entered in TCP Dynamic     Ports (Delete the ’0′ value  if present). Click OK and click OK on     the Warning dialog.

                   

                  Setting the Port on the MSFW instance

                   

                  Changethe listening port on the ISARS instance

                  TheISARS SQL instance also listens on port 1433 and this can cause connectionissues. Change this instance to use port 1434:

                  1. Still in SQL     Server Configuration Manager, select Protocols for ISARS under SQL Server     Network Configuration
                  2. Right-click TCP/IP and     select Properties.
                  3. Click     the IP Addresses tab and scroll to the IP All     section at the bottom of the list.
                  4. Change the TCP     Port to 1434 and ensure nothing is entered in TCP Dynamic     Ports. Click OK and click OK on the     Warning dialog.

                   

                  Changing the port on the ISARS instance

                   

                  Restartthe Services

                  Forthe above changes to take effect, you need to restart the SQL Server (ISARS)and then the SQL Server (MSFW) services in that order.

                  1. Go to Start     | Administrative Tools | Services
                  2. Right-click the SQL     Server (ISARS) service and select Restart.
                  3. Right-click     the SQL Server (MSFW) service and select Restart.

                   

                  Testthe connection from the McAfee ESM - SIEM machine

                   

                  Youshould now be able to connect to the MSFW databases from a remote computer. Totest the connection, we recommend that you can telnet the Port 1433 or whateverassigned port by you from the McAfee ESM – SIEM ssh session preferably viaputty.  As long as you are logged into Windows with a user account that isa local administrator on the TMG server, you should be able to connect withoutissue.

                  • 6. Re: How to configure SQL 2005 & 2008 as a data source
                    mcafeecolby

                    Where you able to add a SQL server as a data source? I've placed several security logs into a SQL database and want to pull them now as a single data source. Unfotunately, there is no generic SQL parser setup. I do not want to use the agent. Since some of the out of the box parser do a SQL pull shouldn't it be possible to leverage one and tweak the rules accordingly?