Security, et al

Randy's Blog on Infosec and Other Stuff

«  Bridging the Gaps in Nati... | Security Logging as a Det... »

LOGbinder SQL Beta is released! Join beta testers now

Tue, 01 Nov 2011 17:05:52 GMT

I'm excited to announce that my software company, LOGbinder, has just released LOGbinder SQL as beta.  If you need audit logging for SQL Server you will be interested to know about SQL Server 2008's new audit foundation and how LOGbinder SQL allows you to connect SQL's audit capability to your existing SIEM/log management solution:

Introducing LOGbinder SQL

SQL Server 2008 introduced a totally new audit logging facility, which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment. SQL Server Audit is flexible in terms of audit policy and comprehensive in relation to the breadth and depth of objects and actions that can be audited. However, the audit data generated by SQL Server needs additional refinement and processing before it can be relied up on as a usable audit trail and be managed by your existing log management/SIEM solution.

The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to giving a user ownership rights to a database. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events.

Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log events. Similar to LOGbinder SP, these events can be outputted to the Security log a custom Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze. Here is an example of an event:

Raw Audit Event from SQL Server

event_time:2010-09-16 12:35:30.0787755
sequence_number:1
action_id:APRL
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:54
server_principal_id:260
database_principal_id:1
target_server_principal_id:0
target_database_principal_id:0
object_id:7
class_type:RL
session_server_principal_name: ACMESP\Administrator
server_principal_name: ACMESP\Administrator
server_principal_sid:0
database_principal_name: dbo
target_server_principal_name: ACMESP\Administrator
target_server_principal_sid: 0
target_database_principal_name: public
server_instance_name: SPDEV\SQL08ENT
database_name: AuditTest
schema_name:
object_name: MyAudit
statement: EXEC sp_addrolemember N'MyAudit', N'public'
additional_information:
file_name=c:\sql audits\AuditAll_12633920-
FB34-4FAA-8F96-E9F8FED158A9_0_ 129276798828120000.sqlaudit
audit_file_offset=1536

Same Event After LOGbinder SQL Processing

Event ID: 24020
Add member to database role succeeded
A principal was successfully added to a database role
Action Group: DATABASE_ROLE_MEMBER_CHANGE_GROUP
Occurred: 9/16/2010 12:35:30.0000000 PM
Session ID: 54
User: ACMESP\administrator
Server: SPDEV\SQL08ENT
Database: AuditTest
Member
Name: public
Domain name: n/a
Role
ID: 7
Name: MyAudit
Statement: EXEC sp_addrolemember N'MyAudit', N'public'

*Learn more about LOGbinder SQL and download the beta today! Click Here.

email this digg reddit dzone
comments (0)references (0)

Related:
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
Virtualization Security: What Are the Real World Risks?
SolarWinds Log & Event Manager Includes My Favorite Feature in a SIEM…
Automating Review and Response to Security Events

Comments disabled

powered by Bloget™