07-22-2008 06:18 AM
Hello. Maybe I am missing something, but is there a way to collect and parse logs (specifically security auditing - logins, etc...) from MS SQL server in MARS? I see that there 'may' be a snare agent for MS SQL, but I don't know if MARS would recognize the events without a custom parser. Any ideas?
Thank you,
Jeff
07-22-2008 01:25 PM
You can collect them, but I don't believe they will be parsed correctly. They [the logins at least] are logged to the application event log. The last time I tested MARS, you COULD NOT configure a reporting device as a Windows host AND custom parse messages. Having them is a good first step I guess. It would be really nice to be able to extend MAR's parsing with custom parsing though. I *think* the next major version of MARS is supposed to fix this somehow.
07-22-2008 04:14 PM
Thank you for your response. I didn't even think about the fact that I probably can't just 'add' to the host (Windows 2003 server) 'and' create a custom parser for the SQL entries. I am sure that this is still the case. I really hope that this is improved in 6.x.
Thank you again.
07-23-2008 05:56 AM
OK. I just got in this morning and build a 'test' custom parser. I appears that if I make this a software application, I can apply it to my previously defined Windows server and tell it that it will be receiving the information to be parsed via syslog. Does anyone have any experience doing this for SQL Server?
Thanks again.
07-23-2008 07:27 AM
while you can do that, I don't think it will work. At least it didn't work when I tried. As I recall, the problem is that the windows parser has a "catch-all" parser that maps to "generic windows event". This parser is applied before your custom parser.
07-23-2008 07:33 AM
OK. Thanks. That makes sense. I haven't been able to test this yet, so I appreciate you mentioning this.
Thanks.
07-23-2008 07:52 AM
I would still test it. It's been quite a few versions since I did. Let us know how it goes.
07-25-2008 08:11 AM
OK. I've been trying everything to see if I can get something to work here, but to no avail. It definitely reports it as a 'general windows application log' entry instead of running it through the custom parser. Every attempt to get any assistance through TAC (wondering about the order the devices were processed) yielded 'It is not supported'. Anyway, thank you very much for your input on this and unfortunately, I was not successful.
07-25-2008 08:27 AM
thanks for following up. Let's keep our fingers crossed that this is addressed in 6.x.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide