Versions Compared

Old Version 7

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version 8

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel7

...

We are providing you with the steps to integrate your Microsoft SQL Server with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for forwording for forwarding logs.

...

Enabling logging for logins

Enable Audit logs in the MSSQL server with the steps below:

  • Open Microsoft SQL Management Studio with the appropriate credentials.

  • In Object Explorer, right-click on the database server and select Properties.

...

  • In the Properties panel, select Securityin the Select a page section.

  • In Login auditing, select Both failed and successful logins.

...

...

Enabling server auditing

  • Open Microsoft SQL management studio with appropriate credentials.

  • In Object Explorer, expand the Security tab to view Audits and Server Audit Specifications options.

...

...

Creating Audits

  • Right-click Audits to select New Audit..

...

  • In Audit Properties, provide the appropriate audit name and set the audit destination as the application log. The configured Audit properties pane is shown below:

...

  • Click OK to apply settings.

...

Creating Server Audit Specifications

  • Right-click Server Audit Specifications and select New Server Audit Specification…

...

  • Click OK to apply settings.

  • Right-click on the earlier created audit and select Enable.

...

  • Right-click on the earlier created Server Audit Specification and select Enable Server Audit Specification.

...

  • The outcome will show login success.

...

NxLog Configuration

  1. Login on the Windows SQL Server with administrator rights.

  2. Download the latest version of nxlog. It is easiest to choose the Windows MSI file which includes an installer. Use the link:  https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition   

  3. Open the Nxlog configuration file at: C:\Program Files (x86)\nxlog\conf\nxlog.conf

  4. Replace the entire configuration file by pasting the following Below – Note to replace the variable (IP Address of Seceon Collector) with the actual Seceon Server IP address:

Code Block
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog

#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>    
  Module xm_json
</Extension>

#Extension for MSSQL
<Extension mssql_csv>
    Module          xm_csv
    Fields          $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
    FieldTypes      string, string, string, string, string, string, string, string
    Delimiter       ;
</Extension>

#Input for MSSQL
<Input in_mssql>
    Module          im_msvistalog
    SavePos         FALSE
    ReadFromLast    TRUE
    Exec   $Message = $raw_event;
    # Finding some values:
    Exec    if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
    Exec    if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
    Exec    if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
    Exec    if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
    Exec    if $raw_event =~ /AUDIT_SUCCESS/\
              {\
                    $Result = 'Success';\
              }\
              else\
                    $Result = 'Failure';
    # Replace white spaces
    Exec            $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>

#Output for MSSQL
<Output out_mssql>
    Module          om_udp
    Host            CCE_IP_ADDRESS
    Port            514
    # Ensure we send in the proper format:
    Exec           $Hostname = hostname_fqdn();
    Exec            mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>

#Route for MSSQL Logs
<Route mssql>
    Path            in_mssql => out_mssql
</Route>

Verification of configuration

...

  • From the Collector-Syslog Server (CCE): This can involve logging into the CCE and checking the configuration settings, testing the connectivity and functionality of the various components, and comparing the actual results against the expected or desired outcomes.

  • From the UI: This can involve logging into the user interface and checking the configuration settings, monitoring the logs and flows, and comparing the actual results against the expected or desired outcomes.

...

This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..

...