Highlighted
Absent Member.
Absent Member.
1474 views

When .sqlaudit extension will be supported by SQL connectors?

Jump to solution

Today,

The supported extension is .trc. But as dbas say, in future, everybody will use .sqlaudit.

Anyone know something about this?

Thanks in advance,

René Eduardo

Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

If this is the file extension for SQL Server Auditing via audit log files, then there's a FR # for ArcSight to support logs in this format: CON-13628

Here's the details of the FR Request that I submitted on Oct 25th 2013 (still pending):

FR Submitted: MSSQL SQL Server Auditing via Audit Log Files

Service Request Details:




























protect_mssql_FR.png

View solution in original post

0 Likes
9 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

If this is the file extension for SQL Server Auditing via audit log files, then there's a FR # for ArcSight to support logs in this format: CON-13628

Here's the details of the FR Request that I submitted on Oct 25th 2013 (still pending):

FR Submitted: MSSQL SQL Server Auditing via Audit Log Files

Service Request Details:




























protect_mssql_FR.png

View solution in original post

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Any Updates on the feature request for reading .sqlaudit file directly instead of going the Application Event log?

Thanks,

Eric

 

 

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Can you provide a sanitized example of a logfile? Then I can see what could be done with a file connector.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

 

My understanding is the .sqlaudit file is a binary file and it can't be edited or viewed using a text editor. 

 

Eric

 

 

0 Likes
Highlighted
Absent Member.
Absent Member.

Does HPE have a solution about this case? We tried the collect logs from sql db by .trace format but it caused failures in DB. Our DB team recommended .sqlaudit log types but there is no connector to collect the logs in form of .sqlaudit, is there any solution?

Thanks

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello Yusuf,

I have seen this achieved once, I am not 100% sure I remember all of the details and that environment is not accessible for me right now, but what I recall is the following:

1. Install a usual Flex Connector for database connection (ID based of Time based or MultiDB Flex)

2. In the flex parser, use a SELECT that calls the fn_get_audit_file() SQL function; the one here: sys.fn_get_audit_file (Transact-SQL)

Basically you retrieve the information from the .sqlaudit file which is already generated, but you actually do it through the SQL server. So you connect to the SQL server, send a SELECT which in turn calls on the function; the function is executed by the SQL server itself, and has as input parameter the .sqlaudit file which was already generated. The function returns a table as far as I remember, on which your initial SELECT statement will run.

I am almost sure that with some testing you can actually achieve this, since as mentioned before I've seen it working. I do think that a good DB Admin would be of great value while trying to integrate this.

Good luck,

Stefan

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Resurrecting this old thread.

Was there a solution to this? Currently, ArcSight available connector will only able to recognize SQL Server Audit if it was output to native Windows Event Viewer (Application/Security)

There are still no plug and play connector to process SQL Server Audit output of File with extension.sqlaudit

Had anyone ever pull out a flex connector which able to process extension.sqlaudit?

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi 

We are using LOGbinder for SQL to parse those logs. Pretty easy to setup 

/Per

Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Thanks for the reply.  I'll check them out.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.