Bridging the Gaps in Nati... |
Security Logging as a Det... »
LOGbinder SQL Beta is released! Join beta testers now
Tue, 01 Nov 2011 17:05:52 GMT
I'm excited to announce that my software company, LOGbinder, has just released LOGbinder SQL as beta. If you need audit logging for SQL Server you will be interested to know about SQL Server 2008's new audit foundation and how LOGbinder SQL allows you to connect SQL's audit capability to your existing SIEM/log management solution:
Introducing LOGbinder SQL
SQL Server 2008 introduced a totally new audit logging facility, which is critical to enterprises storing sensitive information and/or processing important transactions in today’s demanding compliance environment. SQL Server Audit is flexible in terms of audit policy and comprehensive in relation to the breadth and depth of objects and actions that can be audited. However, the audit data generated by SQL Server needs additional refinement and processing before it can be relied up on as a usable audit trail and be managed by your existing log management/SIEM solution.
The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to giving a user ownership rights to a database. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events.
Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log events. Similar to LOGbinder SP, these events can be outputted to the Security log a custom Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze. Here is an example of an event:
Raw Audit Event from SQL Server
statement: EXEC sp_addrolemember N'MyAudit', N'public'
Same Event After LOGbinder SQL Processing
Event ID: 24020
Add member to database role succeeded
A principal was successfully added to a database role
Action Group: DATABASE_ROLE_MEMBER_CHANGE_GROUP
Occurred: 9/16/2010 12:35:30.0000000 PM
Session ID: 54
Domain name: n/a
Statement: EXEC sp_addrolemember N'MyAudit', N'public'
*Learn more about LOGbinder SQL and download the beta today! Click Here.
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
Live with Dell at RSA 2015
How Randy and Company Do IT: Server and Application Monitoring
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
powered by Bloget™