6 Replies Latest reply on Aug 12, 2016 7:32 AM by luca andreoli

    SIEM Integration with MS SQL?

    apollo

      Hi,

      Our client has SIEM (Nitro/McAfee) and wants to pull the data directly from our MS SQL server database. We have few tables where different values are collected and combining these tables gives some useful information that should be forwarded to the SIEM. Here are my question:

      1. Can SIEM actually pull the data from MS SQL database table directly by using some custom query, or maybe run some store procedure? How it actually works when we want to pull the date periodically?

      2. Can SIEM pull the data form MS SQL server database using agent or without it?

       

      Thanks.

        • 1. Re: SIEM Integration with MS SQL?
          saipavan

          HI,

           

          I had done with the normal SQL logs pull, for the specific logs to be fetched from the DB if haven't, as of my knowledge i believe you have to install McAfee sql plugin were you have to write the query to fetch this logs are send it to receive, and at the receive end you have to write an costume parser.

           

          Hope this would help you..

           

          -Sai

          • 2. Re: SIEM Integration with MS SQL?
            poezie

            Hi

             

            We do this to a few of our custom MS SQL databases. The easiest way we have managed to get this working is to use the SIEM Agent on the server and then create the relevent XML file with the table mappings and the data we want to pull from the DB.

             

            It works very well and we have had great success with this

             

            Mike

            • 3. Re: SIEM Integration with MS SQL?
              ovidiu.tatarasanu

              Hi Mike,

               

              Can you please tell me how you've configured the Agent to send the logs (via Syslog or MEF)?

              I've installed the Windows collector on a test DB server, I've made the XML config with tables mappings, select from there the Syslog method and then I've added the host in the SIEM collector :

               

              In the Receiver configuration, I've added a Data Source, type ASP with log "unknown syslog" event selected:

               

              I'm not receiving any events from this source. I've did a tcpdump on the ESM/Receiver and from my IP (x.x.23.21) and I'm seeing some packets but on 8081 port (MEF) not on 514 Syslog as expected.

               

              I'm missing something?

               

              P.S. in the collector's debug logs I can see only this line every time I restart the service:

              "<131>1 May 4 14:32:46 localhost AgentLogger: ERROR 0 AgentLogger DeInitializing LPC"

               

              Update:

               

              I can see in the debug logs, that the agent is trying to connect to the receiver, and after several tries is gives an error message:

               

              <132>1 May 4 15:44:05 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

              <132>1 May 4 15:44:15 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

              <132>1 May 4 15:44:26 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

              <132>1 May 4 15:44:36 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

              <132>1 May 4 15:44:47 localhost McAfeeEventCollector: WARN 0 Connect A timeout occurred trying to connect to receiver

              <131>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: ERROR 1 Start Failed to process events; receiver communication timeout reached, sleeping for 2 minutes; Pausing plugin.

              <135>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: DEBUG 1 End connection: 1

              <135>1 May 4 15:44:47 localhost McAfeeEventCollector: DEBUG 0 ReleaseConnection Releasing connection: 1

              <135>1 May 4 15:44:47 localhost McAfeeEventCollector: DEBUG 0 ReleaseConnection Active: 0

              <134>1 May 4 15:44:47 172.17.23.21 McAfeeEventCollector: INFO 1 _pausePlugin Plugin pausing

               

               

              Thanks,

              Ovidiu

              • 4. Re: SIEM Integration with MS SQL?
                Mikelb

                In ESM you would configure the Data Source Retrieval method to MEF.  Make sure the "Use encryption" settings are the same on the ESM Data Source and on the Windows SIEM Agent.

                 

                This is what I use and it all works perfectly well for me.

                • 5. Re: SIEM Integration with MS SQL?
                  ovidiu.tatarasanu

                  Hi,

                   

                  I've configured the Retrieval method MEF, and then tried with and without encryption, but still no events to ESM.

                  Now from the debug logs on the collector I see that the logs are sent now, so something is not OK with the Data Source config on the Receiver..

                   

                  "

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 _write Received channel id: 1 for host: sql

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Successfully transmitted 1 event(s).

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Successfully transmitted 2 event(s).

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 PopulateSyslogEvent No Records to process

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DIAG 1 Start Transmitted 2 event(s).

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 End connection: 1

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 ReleaseConnection Releasing connection: 1

                  <135>1 May 5 08:34:06 sql McAfeeEventCollector: DEBUG 1 ReleaseConnection Active: 0

                  <134>1 May 5 08:34:06 sql McAfeeEventCollector: INFO 1 _pausePlugin Plugin pausing

                  "

                                      

                   

                  Thanks,

                  Ovidiu

                  • 6. Re: SIEM Integration with MS SQL?
                    luca andreoli

                    HI,

                    about the solution of Mike (poezie)  how should configure the data source on Siem and the configure of ms sql has been?

                    data source ms sql.png

                    In the event that a ms sql server has multiple instances on the same ip must be entered each instance like a data source?

                    I didn't find a solution on documentation of McAfee

                    Thank you

                    Luca