davcollado Valued Contributor.
Valued Contributor.
1081 views

Parsing problems 33205 events Security Log

Jump to solution

Hello,

I have a problem with the Windows Log Native Connector parsing the 33205 "Audit Sql Events". The events are in the security log and their provider name is "MSSQL$IN1$AUDIT". The eventdata information is not parsed, only the header of the event.

I have tried to create a "customeventsourcemap.csv" like this:

Security, MSSQL*, MSSQLSERVER, Application

But it doesn't work. Do you know if there is any way to parse that events?  I can't put them in the application log because the user that read the events only have permissions to read the security log.

Thanks in advance.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
davcollado Valued Contributor.
Valued Contributor.

Re: Parsing problems 33205 events Security Log

Jump to solution

Thanks mschleich, I could resolve the issue changing the "customeventsourcemap.csv" with this:

#SourceChannel,SourceProviderNamePattern,TargetProviderName,TargetChannel
Security,MSSQL.*,MSSQLSERVER,Application

Only changes the "." but it makes it work.

View solution in original post

0 Likes
2 Replies
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parsing problems 33205 events Security Log

Jump to solution

Dear Davcollado,

According to me, this event ID is already parsed by the WiNC SmartConnector but Application Event.
I don't know if your issue is due to that, it will be good if you could make a test just to confirm that when you put the event in Application, it is correctly parsed.

If it is the case, you have to ask to HP Support they give you the parser file for myssql which is named
mssqlserver.audit.sdkkeyvaluefilereader.properties
Because, it is encrypted.
Then, you have to ask them where to move it to be able to parse this event ID as a Security Event.
I am not 100% sure if it will work because it depends how the WiNC has been built internally.

I know how to parse Windows Events but it is not very simple, a Windows Events is an XML Event which is parsed in 2 way, by a key value for the header and by a JSON for the other layer.

For Windows Security Events, HP ArcSight has already parsed them one by one completely thus with parser override file, you can modify how the event is parsed, normally without JSON.

For other application logs, like Sysmon, AppLocker, the base of the event is already parsed by the WiNC but the useful information are located into evendata.

For Mysql, it is already proposed into the WiNC folder but as Application Event thus I prefer you test first as Application.
PS: I have already verified that the event ID 33205 is parsed in the above properties file.

Thanks
Regards

Michael

0 Likes
davcollado Valued Contributor.
Valued Contributor.

Re: Parsing problems 33205 events Security Log

Jump to solution

Thanks mschleich, I could resolve the issue changing the "customeventsourcemap.csv" with this:

#SourceChannel,SourceProviderNamePattern,TargetProviderName,TargetChannel
Security,MSSQL.*,MSSQLSERVER,Application

Only changes the "." but it makes it work.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.