wazuh custom decoder for mssql server 2017 audit logs
166 views
Skip to first unread message
Anuj Sharma
Jun 20, 2024, 4:40:41 AM6/20/24
to Wazuh | Mailing List
hi i am using wazuh agent in docker container and also my sqlserver 2017 running in same conatiner of docker with my agent everthing working fine except my sql server audit logs are not showing anything regarding on my dasboard is there way to send audit logs of mssql server i create custom audit file myaudit and when i check these log it is in this format
Date 20-06-2024 06:23:40
Log Audit Collection (MyAudit)
Event Time 06:23:40.3765138
Server Instance Name sql-deployment-
Action ID SELECT
Class Type TABLE
Sequence Number 1
Succeeded True
Permission Bit Mask 0x00000000000000000000000000000001
Column Permission True
Session ID 55
Server Principal ID 1
Database Principal ID 1
Target Server Principal ID 0
Target Database Principal ID 0
Object ID 917578307
Session Server Principal Name sa
Server Principal Name sa
Server Principal SID 0x01
Database Principal Name dbo
Target Server Principal Name
Target Server Principal SID NULL
Target Database Principal Name
Database Name Enterprise
Schema Name dbo
Object Name Employees
Statement select * FROM employees
Additional Information
File Name /var/opt/mssql/log/MyAudit_193A1451-9618-4B7D-B558-200BD24604BF_0_133633348291860000.sqlaudit
File Offset 4382720
User Defined Event ID 0
User Defined Information
Sequence Group ID 0xB53B67765CB1D04F900157FFE5B40451
Transaction ID 241898
Client IP 192.168.1.2
Application Name SQLCMD
Anyone help me regarding tHis???
Log Audit Collection (MyAudit)
Event Time 06:23:40.3765138
Server Instance Name sql-deployment-
Action ID SELECT
Class Type TABLE
Sequence Number 1
Succeeded True
Permission Bit Mask 0x00000000000000000000000000000001
Column Permission True
Session ID 55
Server Principal ID 1
Database Principal ID 1
Target Server Principal ID 0
Target Database Principal ID 0
Object ID 917578307
Session Server Principal Name sa
Server Principal Name sa
Server Principal SID 0x01
Database Principal Name dbo
Target Server Principal Name
Target Server Principal SID NULL
Target Database Principal Name
Database Name Enterprise
Schema Name dbo
Object Name Employees
Statement select * FROM employees
Additional Information
File Name /var/opt/mssql/log/MyAudit_193A1451-9618-4B7D-B558-200BD24604BF_0_133633348291860000.sqlaudit
File Offset 4382720
User Defined Event ID 0
User Defined Information
Sequence Group ID 0xB53B67765CB1D04F900157FFE5B40451
Transaction ID 241898
Client IP 192.168.1.2
Application Name SQLCMD
Anyone help me regarding tHis???
Aishat Motunrayo Awujola
Jun 24, 2024, 11:40:20 AM6/24/24
to Wazuh | Mailing List
Hello Anuj,
Thank you choosing Wazuh.
To answer your question, yes, you can forward audit logs to Wazuh. Wazuh is able to collect MSSQL audit logs through the Windows event channel.You can use Wazuh to monitor the database activity and this can be achieved by integrating the database logging system into Wazuh using the log collection capabilities, and then utilizing the decoders and rules to trigger corresponding alerts.
Wazuh has out-of-the-box decoders and rules for many databases (PostgreSQL, MySQL, MSSQL, MariaDB, ...).
I hope this helps.
Regards.
chachab
May 17, 2025, 12:18:23 PM5/17/25
to Wazuh | Mailing List
Hello cdacanuj1 and team,
Did you manage to have this on your Wazuh dashboard? Did you create that decoder and rule, and is it working?
I have the same issue, I managed to create the decoder and rule, but I can't see the events in my Wazuh Dashboard
Did you manage to have this on your Wazuh dashboard? Did you create that decoder and rule, and is it working?
I have the same issue, I managed to create the decoder and rule, but I can't see the events in my Wazuh Dashboard
Reply all
Reply to author
Forward
0 new messages