7 Replies Latest reply on Apr 23, 2014 10:20 AM by mcafeecolby

    Pulling from a SQL database

    mcafeecolby

      Without using an agent, is there ANY way to pull data from a SQL database? There are many out of the box parsers that pull from SQL. Can I do my own SQL pull?

        • 1. Re: Pulling from a SQL database
          mlev462251

          None that I'm aware of.

           

          If you don't want/can't use Windows Event Collector, you could poll the db and redirect that to a file. Feed the file to SIEM via NFS/CIFS/Syslog/... afterwards.

          If there is a better solution to this problem I'd like to know about it, too.

          • 2. Re: Pulling from a SQL database
            davids15

            That depends on the version of SQL. If you are using 2008 or 2012 you can setup SQL Audit to write to the local Security or Application Event log, then do a WMI call to pull the data to Nitro. Do keep in mind this can increase overall server resource and could affect performance. The other option is to write it to a binary file, this is a faster way with lower over head. The issue here is being able to read the file. There are 3rd party products that can read the binary file and send it to a SIEM in formats that your SIEM can digest. IE: CEF, SYSLOG, Text File. With Nitro, you can try the SYSLOG or CEF formats.

             

            Here is a link to help....

             

            http://technet.microsoft.com/en-us/library/dd392015(v=sql.100).aspx

             

            This is a good video to help answer some questions:

             

            http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=213

             

            I am also looking to bring SQL events into Nitro and this what I have come up with so far.

             

            Now on to testing....

            1 of 1 people found this helpful
            • 3. Re: Pulling from a SQL database
              mlev462251

              @davids15 I beleieve OP was asking about using ODBC as a method of delivering data to SIEM not collecting DB audit or runtime logs. Many other SIEM systems include ODBC connectors that you can use to directly query a DB to get the data. McAfee does it (in a very clumsy and limited way) via Windows Event Collector.

              Thanks for your input nontheless.

              1 of 1 people found this helpful
              • 4. Re: Pulling from a SQL database
                mcafeecolby

                Thank you. This should be such a simple process out of the box and they have made it absurdly challenging. I suspect it is to steer people into the database product.

                • 5. Re: Pulling from a SQL database
                  davids15

                  Are you wanting to get Data out the SQL to add to events, if so you could look at doing a Data Enrichment query.

                   

                  For example, I have a SQL table that contains additional definition information and I match that to events based on event id type and then added an additional field to add the definition. This makes the event become more understandable.

                   

                  Or

                   

                  You can do a watchlist  - Dynamic – do a SQL query and pull the data into a Watchlist. Once it’s in a watchlist you setup rules/alerts/reports to watch for the data inside the watchlist.

                  1 of 1 people found this helpful
                  • 6. Re: Pulling from a SQL database
                    mcafeecolby

                    mlev462251 Correct. If there are parsers that pull SQL out of the box, a generic syslog parser and a WMI template why in the world can't there be a generic SQL pull? I understand you'd have to map, but so what. The SQL plugin collector agent is the provided answer from the company, but how many db admins are going to want to put an agent on the box? Yes, it can be placed on another machine, but now I'm introducing another machine uneccessarily to the mix. Anyhow.

                    • 7. Re: Pulling from a SQL database
                      mcafeecolby

                      davids15 I'm finding watchlists may be the answer to a lot of things. Although, I always come back to the fact that there doesn't seem to be any reason other than wanting to steer customers into the db product for not having a simple template to pull with.