SQL Connector Problems
Can someone help point me in the right direction on the installation of a "SmartConnector for Microsoft SQL Server Multiple Instances - Audit DB"
I have the new document dated "June 30, 2012" however I am still having problems. The goal is to get all our servers that run SQL (and IIS, but that is another issue), which is around 15 servers.
I installed the connector on a server (Win2008R2, server dedicated as a "connector" server) and attempted to get it up and running. It would seem all is well; after many tweaks I was finally able to finish the install without any errors. However, on the client side (the SQL server) there are some settings to turn on "Trace Logs" and C2 Auditing.
Well, not only I do not see any log data making it to my ArcSight, but these C2 logs are 200 MB and filling up the hard drive.
So the two areas I need help (there may be more) are the following:
1. I need some assistance to ensure the SmartConnector is setup correctly. I should see some log data in ArcSight (my logger model 7200).
2. Is there a script or setting to over-write the oldest or something to prevent these C2 logs from filling up my hard drive.
NOTE: I am only testing at this point with a single server, the goal is to eventually get all 15ish installed. This is to meet a security requirement for log/data retention and view for anomalies or suspect events (security related).
Thank you in advance.
Re: SQL Connector Problems
The way C2 audit processing works is that the SQL server generates these audit files which are 204MB by default (you can tweak this). While this file is getting written to the connector can't process it, since it's locked by SQL. Once SQL fills up one file and moves on to the next one, the connector processes the audit file. In the connector settings you specify the path to these files, either direct file path if the connector is on the same box or a UNC share. Make sure that the connector can read and write to the folder that contains these files since it needs to delete them after being done. The second part of the connector settings is a DB that the connector processes these files through. These files can't be processed directly and so the connector needs to read them through a SQL database. So assuming all of these components are configured properly and operational, you shouldn't have more than one trace file in the output directory. Hopefully this explains how this is supposed to work. If you are still having issues, post agent.out.wrapper.log and agent.log and we'll try to help further.