Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1267 Views 6 Replies Latest reply: Mar 24, 2014 10:30 AM by mcafeecolby RSS
haroot Newcomer 27 posts since
Sep 16, 2012
Currently Being Moderated

Jan 21, 2013 10:36 AM

How to configure SQL 2005 & 2008 as a data source

Hello All,

 

I am trying to configure SQl 2005/2008 with McAfee Receiver as a Data Source.I went through the steps as mentioned under  Help Contents but unfortunately the configuration steps are outdated and not relevant  either to 2005 or to 2008.

 

My main requirement here to configure the SQL DB's with SIEM (receiver )and to start with I am looking only at the authentication and the admin activity events form both SQl 2005 & 2008.With respect to SQL 2008 I was able to find the configuration on the Microsoft site and after enabling the audting on SQL 2008 (in this case the SQl events are getting logged under Windows Application Logs and the Data Source on the receiver  has been configured as WIndows --> WMI Event log). I started receving the failed login events but I am unable to recieve the Login Success Events from the database even though I can see these events being logged under Windows Application Event Logs.The DB guy  also tried to create and delete a Table to generate certai events but unfortunately even these aren't being shown on the Event Summary Dashboard but I can see the event log being generated under Windows Application Log.I couldnt find anything helpful for SQL 2005 as I have worked ocassionally on the database side.

 

Has anyone integrated/configured  SQL with McAfee Receiver ?Kinldy share the steps.

 

 

Haroot

  • feeeds The Place at McAfee Member 102 posts since
    Apr 26, 2011
    Currently Being Moderated
    1. Jan 25, 2013 10:10 AM (in response to haroot)
    Re: How to configure SQL 2005 & 2008 as a data source

    I am struggling with this as well. I have a ticket open with support. Seems they are saying to have SQL push the events into the application log. I am looking at the Windows agent now to see if that will be the solution for SQL and IIS logs.

  • feeeds The Place at McAfee Member 102 posts since
    Apr 26, 2011
    Currently Being Moderated
    3. Jan 30, 2013 2:18 PM (in response to haroot)
    Re: How to configure SQL 2005 & 2008 as a data source

    Not having much luck with the Mcafee windows event collector.  The agent is set up and sending (packet capture shows the receiver is getting them), but nothing shows up in ESM.  I have tried several variations of data source properties, but nada.  Not sure if Vendor should be MS or mcafee.  I have a ticket open, but they only respond about every other day.

  • vishnummv Newcomer 6 posts since
    Jun 2, 2011
    Currently Being Moderated
    5. Feb 5, 2014 9:05 PM (in response to haroot)
    Re: How to configure SQL 2005 & 2008 as a data source

    Hi Harrot,

     

    This below steps will help you,

     

    I have tried this for Microsoft Threat Managment Server as datasource,

     

    Findthe below steps to enable the same so that we can get the logs from MicrosoftTMG to McAfee ESM- SIEM.

     

    AccessingMicrosoft Forefront TMG's Log Files (SQL Express)

     

    Ifyou need to analyse and report on Microsoft Forefront Threat Management Gatewaylog files, the most common stumbling block is enabling access to the defaultSQL Express databases that contains the firewall and web proxy log files. Thelog databases are stored in an SQL Express instance named MSFW

     

    EnableTCP access to the MSFW instance

     

    Todo this:

    1. Log into your     Forefront TMG server using administrator credentials.
    2. Select Start     | All Programs | Microsoft SQL Server 2008 | Configuration Tools | SQL     Server Configuration Manager.
    3. Expand SQL     Server Network Configuration and select Protocols for     MSFW
    4. Right-click TCP/IP and     select Enable
    5. Click OK on     the Warning dialog informing you that “changes will not take effect until     the service is stopped and restarted.”

     

    Enabling TCP/IP on the MSFW instance

     

    Setthe listening Port on the MSFW instance

    OnceTCP/IP is enabled on the MSFW instance, you need to set it to listen on port1433

    1. Select Protocols     for MSFW under SQL Server Network Configuration
    2. Right-click TCP/IP and     select Properties.
    3. Click     the IP Addresses tab and scroll to the IPAll section     at the bottom of the list.
    4. Change the TCP     Port to 1433 and ensure nothing is entered in TCP Dynamic     Ports (Delete the ’0′ value  if present). Click OK and click OK on     the Warning dialog.

     

    Setting the Port on the MSFW instance

     

    Changethe listening port on the ISARS instance

    TheISARS SQL instance also listens on port 1433 and this can cause connectionissues. Change this instance to use port 1434:

    1. Still in SQL     Server Configuration Manager, select Protocols for ISARS under SQL Server     Network Configuration
    2. Right-click TCP/IP and     select Properties.
    3. Click     the IP Addresses tab and scroll to the IP All     section at the bottom of the list.
    4. Change the TCP     Port to 1434 and ensure nothing is entered in TCP Dynamic     Ports. Click OK and click OK on the     Warning dialog.

     

    Changing the port on the ISARS instance

     

    Restartthe Services

    Forthe above changes to take effect, you need to restart the SQL Server (ISARS)and then the SQL Server (MSFW) services in that order.

    1. Go to Start     | Administrative Tools | Services
    2. Right-click the SQL     Server (ISARS) service and select Restart.
    3. Right-click     the SQL Server (MSFW) service and select Restart.

     

    Testthe connection from the McAfee ESM - SIEM machine

     

    Youshould now be able to connect to the MSFW databases from a remote computer. Totest the connection, we recommend that you can telnet the Port 1433 or whateverassigned port by you from the McAfee ESM – SIEM ssh session preferably viaputty.  As long as you are logged into Windows with a user account that isa local administrator on the TMG server, you should be able to connect withoutissue.

  • mcafeecolby Newcomer 10 posts since
    Sep 18, 2013
    Currently Being Moderated
    6. Mar 24, 2014 10:30 AM (in response to haroot)
    Re: How to configure SQL 2005 & 2008 as a data source

    Where you able to add a SQL server as a data source? I've placed several security logs into a SQL database and want to pull them now as a single data source. Unfotunately, there is no generic SQL parser setup. I do not want to use the agent. Since some of the out of the box parser do a SQL pull shouldn't it be possible to leverage one and tweak the rules accordingly?

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points