MSSQL Monitoring

[Martin Gluckman]

Dear All,

Just wondering which of the events are having rules by default in the latest Wazuh build?

https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/

Successful logon: 18453, 18454, 18455
Failure logon: 18456

Is there any good reference to the differences between 18453, 18454, 18455? 

Kindest wishes,

Martin

[Jose Antonio Izquierdo]

Hi Martin, 

There is an older set of rules for ms_sql (0440-ms_sqlserver_rules.xml). The current ruleset uses the logs output in plain text format. We will manage to create a set of rules using the event channel. We will try to have this done by the wazuh 4.4.0 release. 

About differences between Successful login ids - There are different ways to connect to MSSQL, so each one lets you know what method the user uses to connect. 

Samples:

(3) ID=18453

The user'PC2012\Administrator' logged in successfully. The connection is established using Windows authentication. [Client: <local machine>]

(4) ID=18454

User'sa' logged in successfully. The connection was established using SQL Server authentication. [Client: <local machine>]

I hope this helps.