Skip to main content
adem_netsys
adem_netsys
Explorer III
January 8, 2025
Question

SIEM: MSSQL Audit Parser

  • January 8, 2025
  • 1 reply
  • 784 views

Hi,

 

I am getting MSSQL audit logs with Agent on the windows machine where Microsoft SQL Server is located. Here I want to parser important information in the log such as Statement (Insert, Select, Create, Alter), DB Name etc. The logs coming to SIEM hit the default parser ( “WinOSXmlParser” ). This parser does not get the fields I want. I edited the existing parser and added the following fields, but this was not enough. Has anyone experienced this before?

</when> <when test="$_id = '33205'"> <collectAndSetAttrByKeyValuePair sep="\n" src="$msg"> <attrKeyMap attr="serviceAccount" key="Service Account:"/> <attrKeyMap attr="serviceFileName" key="Service File Name:"/> <attrKeyMap attr="serviceName" key="Service Name:"/> <attrKeyMap attr="serviceStartType" key="Service Start Type:"/> <attrKeyMap attr="serviceType" key="Service Type:"/> <attrKeyMap attr="actionId" key="action_id:"/> <attrKeyMap attr="serverPrincipalName" key="server_principal_name:"/> <attrKeyMap attr="targetServerPrincipalName" key="target_server_principal_name:"/> <attrKeyMap attr="statement" key="statement:"/> </collectAndSetAttrByKeyValuePair> </when>

    1 reply

    cdurkin_FTNT
    Staff
    cdurkin_FTNT
    Staff
    January 8, 2025

    How are you getting via agent?

    Do you have some sanitized sample?

    adem_netsys
    adem_netsysAuthor
    Explorer III
    January 8, 2025

    @cdurkin_FTNT 

    I am using Application/Sqlserver in Windows Agent Event Type.

    2025-01-06T08:53:39Z ANONYMIZED.host 192.168.0.1 FSM-WUA-WinLog-Application [phCustId]="0" [customer]="Anonymous" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="00000000-0000-0000-0000-000000000000" [timeZone]="+0000" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>33205</EventID><Version>0</Version><Level>0</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0xa0000000000000</Keywords><TimeCreated SystemTime='2025-01-06T08:53:39.5490429Z'/><EventRecordID>0</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ANONYMIZED.host</Computer><Security/></System><EventData><Data>audit_schema_version:1 event_time:2025-01-06 08:53:39.5400126 sequence_number:1 action_id:AL   succeeded:true is_column_permission:false session_id:0 server_principal_id:0 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:A  permission_bitmask:00000000000000000000000000000000 sequence_group_id:00000000-0000-0000-0000-000000000000 session_server_principal_name:anonymous_user server_principal_name:anonymous_user server_principal_sid:0000000000000000000000000000000000000000 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:ANONYMIZED_INSTANCE database_name:anonymous_database schema_name: object_name:anonymous_object statement:ALTER SERVER AUDIT [anonymous_audit] WITH (STATE = OFF) additional_information: user_defined_information: </Data></EventData><RenderingInfo Culture='tr-TR'><Message>Audit event: audit_schema_version:1 event_time:2025-01-06 08:53:39.5400126 sequence_number:1 action_id:AL   succeeded:true is_column_permission:false session_id:0 server_principal_id:0 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:A  permission_bitmask:00000000000000000000000000000000 sequence_group_id:00000000-0000-0000-0000-000000000000 session_server_principal_name:anonymous_user server_principal_name:anonymous_user server_principal_sid:0000000000000000000000000000000000000000 database_principal_name:dbo target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:ANONYMIZED_INSTANCE database_name:anonymous_database schema_name: object_name:anonymous_object statement:ALTER SERVER AUDIT [anonymous_audit] WITH (STATE = OFF) additional_information: user_defined_information: .</Message><Level>Information</Level><Task>None</Task><Opcode></Opcode><Channel></Channel><Provider></Provider><Keywords><Keyword>Audit Success</Keyword><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
    Terms & ConditionsAccessibility statement