MS SQL audit logs

[Like Bike]

Hello, can I connect with ms sql? In your documents, it is written that only connections are made with MySQL and PostgreSQL. What can I do if there is a connection with MS SQL. I would be glad if you help.

[Julia Magán Rodríguez]

Hello,

To integrate MS SQL with Wazuh, there are two options:

1. Monitor the log file where MS SQL writes. This is usually located in C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG, but you can make sure by looking at Sql Server Configuration Manager>SQL Server Sevices>SQL Server (MSSQLSERVER)>Advanced>Dump Directory.

   Then we add the following configuration to the agent and restart it:

    <localfile>
      <location>C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG</location>
      <log_format>mssql_log</log_format>
    </localfile>
   

2. Monitor events received in Eventchannel. Actually, these events are already being monitored since MS SQL events can be seen as Application events. What we can do is create custom rules for these events, starting with one that groups them:

    <rule id="100007" level="0">
     <if_sid>60600</if_sid>
     <field name="win.system.providerName">^MSSQLSERVER$</field>
     <description>Group of MS SQL rules</description>
    </rule>
   

   And from here create the children rules we are interested in.

​