[ossec-list] SQL Server 2008 logon

Thu, 15 Jul 2010 08:24:59 -0700 

Hi,

 

I've created a new rule for monitoring logon actions on SQL Server 2008. OS is 
Windows Server 2008. I'm using OSSEC server/agent 2.3

 

Here is rule:

 

 <rule id="101041" level="3">

    <if_sid>18104</if_sid>

    <id>^33205</id>

    <description>MS SQL Server 2008 Logon Success.</description>

    <group>authentication_success,</group>

  </rule>

 

Problem occurs when log is processed. I get alert that there was successful 
logon, but full log entry isn't complete. This is part of log that is processed:

 

WinEvtLog: Security: AUDIT_SUCCESS(33205): MSSQLSERVER$AUDIT: someUser: XXX: 
location: event_time:2010-07-14 13:23:01.4242722

 

As you can see I miss all additional data from event log that I can see trough 
event viewer like database name, object, statement ... I don't know how ossec 
extracts and parses logs from event log, but I think that problem may be there. 

Thing is that on other system where SQL Server 2008 is installed on Windows 
Server 2003 I get full log with all additional info. But this lack of 
information only happens if SQL Server 2008 is installed on Windows Server 
2008. 

Could it be that when agent collects and parses (or however it extracts data 
from event log) it does not compile log to one line but leaves it as multiple 
line and than ossec treats it like two or more logs. To confirm my doubts I 
have created another decoder and rule that would trigger on part of log that is 
supposed to go after this first part of log. 

 

For example this is event log:

 

TimeGenerated: 5/19/2008 9:23:31 PM

EntryType: SuccessAudit

EventID: 33205

Message:Audit event: event_time:2008-05-20 02:23:30.8759296

sequence_number:1

action_id:G

succeeded:true

permission_bitmask:4194304

......

 

First part of log (till sequence number) is decoded and it triggers rule, so i 
created decoder for sequence number part of log (that i believe is treated as 
another log). Here is new decoder and rule

 

<decoder name="SQL2008test">

        <prematch>sequence_number</prematch>

        <regex offset="after_prematch">:(\d) \.*</regex>

        <order>id</order>

</decoder>

 

Id is for me to test something.

 

<rule id="xxxxxx" level="1">

                <decoded_as>SQL2008test</decoded_as>

                <description>Rest of SQL 2008 log!</description>

</rule>

 

After restart I had alerts that triggered on following log: sequence_number:1

 

So that is why I think that agent is not proccesing event logs in right way. 
But if I'm wrong and it is not problem in version 2.3, could someone, please 
help me solve the problem.

 

Thank you,

Branimir

Reply via email to