5 Replies Latest reply on Apr 3, 2014 8:24 AM by docdriza

    ESM and Threat Management Gateway Date Source

    docdriza

      I am trying to add my Threat Management Gateway as a data source. I have the the logging configured on the TMG, but I am not sure how to figure out what the database name and the instance names are. For the credentials, I'm not sure where to go to get the credentails to log into the SQL express database. Currently we are not sending our logs to a remote SQL server. Is there something I am missing? I looked through some of the other discussions that talked baout the TMG, but they didnt help me.

       

      Thanks in advance.

        • 1. Re: ESM and Threat Management Gateway Date Source
          hainesr

          Attempting to get some attention on this question, we are in exactly the same situation here. Our SQL Express database only has one account accessing it, a local service account with a system-generated password that is unknown to us. The people administering our TMG are telling us that they are unable to create an account on the database for the purpose of SIEM access.

           

          Please help, thanks!

          • 2. Re: ESM and Threat Management Gateway Date Source
            docdriza

            I am currently working with Microsoft to better understand the how to get access to the SQL express database. So far they are saying that all that is needed is a user that has Admin access to the box and it should work. It is not working for us, so I am seeing if there is anohter way to test connections to the SQL Express database besides the test connectionwihtin ESM.

            • 3. Re: ESM and Threat Management Gateway Date Source
              docdriza

              I was able to talk to Microsoft, and came to a solution.

               

              If someone is trying to connect via a SQL ExpressDatabase, they must use the database instance. The instance name is <SERVERNAME>\MSFW. Any user that has access to this system should have access to the database instance.The gotchya is on the TMG. If there isn't one, you will have to create a rule on the TMG to allow a connection over 1433 to the local host from the receiver.

               

              To test this, take these steps:

              1. Log onto the TMG

              2. Create a Client IP filter rule for your reciever.

              3. Start the query

              4. From the ESM console, click connect to test the connection.

              5. From the TMG console, you should see either denied or allowed traffic.

               

              Hope this helps you too hainesr.

              • 4. Re: ESM and Threat Management Gateway Date Source
                hainesr

                We will give it a try, thanks. One quick question - on our end the people configuring our TMG are having trouble setting up additional users on the TMG itself. For the account the Receiver is going to use - did you create it as a local or domain account?

                • 5. Re: ESM and Threat Management Gateway Date Source
                  docdriza

                  I just used my account credentials. So to answer your question, we are using a domain account. I'm sure using my credentials is a temporary thing.