Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎01-08-2025 05:31 AM

SIEM: MSSQL Audit Parser

Hi,

 

I am getting MSSQL audit logs with Agent on the windows machine where Microsoft SQL Server is located. Here I want to parser important information in the log such as Statement (Insert, Select, Create, Alter), DB Name etc. The logs coming to SIEM hit the default parser ( “WinOSXmlParser” ). This parser does not get the fields I want. I edited the existing parser and added the following fields, but this was not enough. Has anyone experienced this before?

</when>
<when test="$_id = '33205'">
<collectAndSetAttrByKeyValuePair sep="\n" src="$msg">
<attrKeyMap attr="serviceAccount" key="Service Account:"/>
<attrKeyMap attr="serviceFileName" key="Service File Name:"/>
<attrKeyMap attr="serviceName" key="Service Name:"/>
<attrKeyMap attr="serviceStartType" key="Service Start Type:"/>
<attrKeyMap attr="serviceType" key="Service Type:"/>
<attrKeyMap attr="actionId" key="action_id:"/>
<attrKeyMap attr="serverPrincipalName" key="server_principal_name:"/>
<attrKeyMap attr="targetServerPrincipalName" key="target_server_principal_name:"/>
<attrKeyMap attr="statement" key="statement:"/>
</collectAndSetAttrByKeyValuePair>
</when>
214
0 Kudos
2 REPLIES 2
cdurkin_FTNT
Staff
Staff

Created on ‎01-08-2025 05:49 AM

How are you getting via agent?

Do you have some sanitized sample?

207
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎01-08-2025 08:57 AM

@cdurkin_FTNT 

I am using Application/Sqlserver in Windows Agent Event Type.

2025-01-06T08:53:39Z ANONYMIZED.host 192.168.0.1 FSM-WUA-WinLog-Application [phCustId]="0" [customer]="Anonymous" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="00000000-0000-0000-0000-000000000000" [timeZone]="+0000" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>33205</EventID><Version>0</Version><Level>0</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0xa0000000000000</Keywords><TimeCreated SystemTime='2025-01-06T08:53:39.5490429Z'/><EventRecordID>0</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ANONYMIZED.host</Computer><Security/></System><EventData><Data>audit_schema_version:1
event_time:2025-01-06 08:53:39.5400126
sequence_number:1
action_id:AL  
succeeded:true
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:A 
permission_bitmask:00000000000000000000000000000000
sequence_group_id:00000000-0000-0000-0000-000000000000
session_server_principal_name:anonymous_user
server_principal_name:anonymous_user
server_principal_sid:0000000000000000000000000000000000000000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:ANONYMIZED_INSTANCE
database_name:anonymous_database
schema_name:
object_name:anonymous_object
statement:ALTER SERVER AUDIT [anonymous_audit]
WITH (STATE = OFF)
additional_information:
user_defined_information:
</Data></EventData><RenderingInfo Culture='tr-TR'><Message>Audit event: audit_schema_version:1
event_time:2025-01-06 08:53:39.5400126
sequence_number:1
action_id:AL  
succeeded:true
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:A 
permission_bitmask:00000000000000000000000000000000
sequence_group_id:00000000-0000-0000-0000-000000000000
session_server_principal_name:anonymous_user
server_principal_name:anonymous_user
server_principal_sid:0000000000000000000000000000000000000000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:ANONYMIZED_INSTANCE
database_name:anonymous_database
schema_name:
object_name:anonymous_object
statement:ALTER SERVER AUDIT [anonymous_audit]
WITH (STATE = OFF)
additional_information:
user_defined_information:
.</Message><Level>Information</Level><Task>None</Task><Opcode></Opcode><Channel></Channel><Provider></Provider><Keywords><Keyword>Audit Success</Keyword><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
177
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.