SQL Server Auditing - Bridging the Gap with LOGbinder for SQL Server

I created LOGbinder for SQL Server to make native SQL Server 2008+ auditing practical for compliance, security monitoring and SIEM integration. If you are new to it, read more on SQL Server 2008+ auditing.

While SQL Server 2008+ auditing is an excellent foundation for database audit logging there are some areas that need to be addressed in order to use native SQL Server 2008+ auditing for compliance and enterprise security.

You need to:

  • Translate cryptic data into easy to understand audit messages - The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to a modification of a stored procedure. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events. LOGbinder for SQL Server translates the one, generic SQL audit event into more than 300 different event IDs, each with its own specific wording and format.
  • Free SQL audit logs from their proprietary format - The preferred and highest performance option for audit log output results in a proprietary file format that cannot be parsed by log management/SIEM solutions using typical text log file-based parsing engines. LOGbinder for SQL Server processes the proprietary formatted SQL Server audit log and enriches SQL Server’s cryptic and generic audit messages to produce an easy-to-understand audit log event which then outputs to the Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze.
  • Leverage the centralized alerting, reporting and secure archival of your log management/SIEM - LOGbinder for SQL Server fills a critical gap between enterprise database servers and audit log management solutions, allowing you to obtain a clearly-written and easy-to-understand audit log that is accessible to your existing log management solution. Through our SIEM Synergy Partner Program we actively work with log management and SIEM solution providers to build our recommended alerts and reports into their systems for SQL server audit logs processed by LOGbinder for SQL Server.

These issues were the driver for me to design LOGbinder for SQL Server. LOGbinder for SQL Server translates the cryptic data in raw SQL Server audit entries and outputs the audit trail to the Windows security log where your SIEM/log management solution can take over with archival, alerting and report.

More information on LOGbinder for SQL Server:

 

Additional Resources
Audit Policy
Audit Logs
LOGbinder SQL
Webinars