Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSIEM Discussions
- Fortinet Community
- Community Groups
- FortiSIEM
- Discussions
- SIEM: MSSQL Audit Parser
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIEM: MSSQL Audit Parser
Hi,
I am getting MSSQL audit logs with Agent on the windows machine where Microsoft SQL Server is located. Here I want to parser important information in the log such as Statement (Insert, Select, Create, Alter), DB Name etc. The logs coming to SIEM hit the default parser ( “WinOSXmlParser” ). This parser does not get the fields I want. I edited the existing parser and added the following fields, but this was not enough. Has anyone experienced this before?
</when>
<when test="$_id = '33205'">
<collectAndSetAttrByKeyValuePair sep="\n" src="$msg">
<attrKeyMap attr="serviceAccount" key="Service Account:"/>
<attrKeyMap attr="serviceFileName" key="Service File Name:"/>
<attrKeyMap attr="serviceName" key="Service Name:"/>
<attrKeyMap attr="serviceStartType" key="Service Start Type:"/>
<attrKeyMap attr="serviceType" key="Service Type:"/>
<attrKeyMap attr="actionId" key="action_id:"/>
<attrKeyMap attr="serverPrincipalName" key="server_principal_name:"/>
<attrKeyMap attr="targetServerPrincipalName" key="target_server_principal_name:"/>
<attrKeyMap attr="statement" key="statement:"/>
</collectAndSetAttrByKeyValuePair>
</when>
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you getting via agent?
Do you have some sanitized sample?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using Application/Sqlserver in Windows Agent Event Type.
2025-01-06T08:53:39Z ANONYMIZED.host 192.168.0.1 FSM-WUA-WinLog-Application [phCustId]="0" [customer]="Anonymous" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="00000000-0000-0000-0000-000000000000" [timeZone]="+0000" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>33205</EventID><Version>0</Version><Level>0</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0xa0000000000000</Keywords><TimeCreated SystemTime='2025-01-06T08:53:39.5490429Z'/><EventRecordID>0</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ANONYMIZED.host</Computer><Security/></System><EventData><Data>audit_schema_version:1
event_time:2025-01-06 08:53:39.5400126
sequence_number:1
action_id:AL
succeeded:true
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:A
permission_bitmask:00000000000000000000000000000000
sequence_group_id:00000000-0000-0000-0000-000000000000
session_server_principal_name:anonymous_user
server_principal_name:anonymous_user
server_principal_sid:0000000000000000000000000000000000000000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:ANONYMIZED_INSTANCE
database_name:anonymous_database
schema_name:
object_name:anonymous_object
statement:ALTER SERVER AUDIT [anonymous_audit]
WITH (STATE = OFF)
additional_information:
user_defined_information:
</Data></EventData><RenderingInfo Culture='tr-TR'><Message>Audit event: audit_schema_version:1
event_time:2025-01-06 08:53:39.5400126
sequence_number:1
action_id:AL
succeeded:true
is_column_permission:false
session_id:0
server_principal_id:0
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:0
class_type:A
permission_bitmask:00000000000000000000000000000000
sequence_group_id:00000000-0000-0000-0000-000000000000
session_server_principal_name:anonymous_user
server_principal_name:anonymous_user
server_principal_sid:0000000000000000000000000000000000000000
database_principal_name:dbo
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:ANONYMIZED_INSTANCE
database_name:anonymous_database
schema_name:
object_name:anonymous_object
statement:ALTER SERVER AUDIT [anonymous_audit]
WITH (STATE = OFF)
additional_information:
user_defined_information:
.</Message><Level>Information</Level><Task>None</Task><Opcode></Opcode><Channel></Channel><Provider></Provider><Keywords><Keyword>Audit Success</Keyword><Keyword>Classic</Keyword></Keywords></RenderingInfo></Event>
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiSIEM
166 -
Parsers
7 -
Rules
5 -
ClickHouse
4 -
fortisiem v7.2.0
4 -
FortiSIEM v6.x
4 -
integration
4 -
API
4 -
Agent Linux
3 -
database
3 -
Agent
3 -
FortiSIEM Cloud
3 -
Collector
3 -
External System Integration
3 -
FortiGate
3 -
lookuptables
2 -
FortiAnalyzer
2 -
Source Code
2 -
Collector Agent
2 -
Supervisor
2 -
FortiSiem 7.1
2 -
watchlist
2 -
SAML
2 -
Analytics & Reporting
2 -
GUI
2 -
Incidents
2 -
CMDB
2 -
Redhat 8
1 -
eventdb
1 -
Impact
1 -
"FortiSIEM Incidents"
1 -
Rocky Linux 8
1 -
Oracle Linux 8
1 -
Partnership Inquiry
1 -
lookups
1 -
o
1 -
OPManager
1 -
RBAC
1 -
User Control
1 -
Audit log
1 -
CMMC
1 -
Reference Files
1 -
Hi
1 -
cisco wsa
1 -
Audit
1 -
Report-Rules-Dashboards
1 -
FortiClient
1 -
FortiAuthenticator v5.5
1 -
upgrade
1 -
IPsec
1 -
Migration
1 -
External Connectors
1 -
LDAP
1 -
Report
1 -
Microsoft Office365
1 -
Azure
1 -
Cisco
1 -
discovery
1 -
Reference Material
1 -
Alma Linux 8
1 -
Notifications
1 -
Expressions
1 -
Architecture
1 -
FortiSASE
1 -
Status
1 -
MySQL
1 -
Internet service database
1 -
Dashboard
1 -
Usage
1 -
Certificate
1 -
enrichement
1 -
Windows Defender
1
Top Kudoed Authors
| User | Count |
|---|---|
| 72 | |
| 25 | |
| 15 | |
| 10 | |
| 10 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.