Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft SQL Server

 

The JSA DSM for Microsoft SQL Server collect SQL events by using the syslog, WinCollect Microsoft SQL, or JDBC protocol.

The following table identifies the specifications for the Microsoft SQL Server DSM:

Table 1: Microsoft SQL Server DSM

Specification

Value

Manufacturer

Microsoft

DSM name

SQL Server

RPM file name

DSM-MicrosoftSQL-JSA-version-Build_number.noarch.rpm

Supported versions

2008, 2012, and 2014 (Enterprise editions only)

Event format

syslog, JDBC, WinCollect

JSA recorded event types

SQL error log events

Automatically discovered?

Yes

Includes identity?

Yes

More information

Microsoft website (http://www.microsoft.com/en-us/server-cloud/products/sql-server/)

You can integrate Microsoft SQL Server with JSA by using one of the following methods:

JDBCMicrosoft SQL Server Enterprise can capture audit events by using the JDBC protocol. The audit events are stored in a table view. Audit events are only available in Microsoft SQL Server 2008, 2012, and 2014 Enterprise.
WinCollect You can integrate Microsoft SQL Server 2000, 2005, 2008, 2012, and 2014 with JSA by using WinCollect to collect ERRORLOG messages from the databases that are managed by your Microsoft SQL Server. For more information, see your WinCollect documentation.

To integrate the Microsoft SQL Server DSM with JSA, use the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the Microsoft SQL Server RPM on your JSA Console.

  2. For each instance of Microsoft SQL Server, configure your Microsoft SQL Server appliance to enable communication with JSA.

  3. If JSA does not automatically discover the Microsoft SQL Server log source, create a log source for each instance of Microsoft SQL Server on your network.

Microsoft SQL Server Preparation for Communication with JSA

To prepare Microsoft SQL Server for communication with JSA, you must create an audit object, audit specification, and database view.

Creating a Microsoft SQL Server Auditing Object

Create an auditing object to store audit events.

  1. Log in to your Microsoft SQL Server Management Studio.
  2. From the navigation menu, select Security > Audits.
  3. Right-click Audits and select New Audit.
  4. In the Audit name field, type a name for the new audit file.
  5. From the Audit destination list, select File.
  6. From the File path field, type the directory path for your Microsoft SQL Server audit file.
  7. Click OK.
  8. Right-click your audit object and select Enable Audit.

Creating a Microsoft SQL Server Audit Specification

Create an audit specification to define the level of auditing events that are written to an audit file.

You must create an audit object. See Creating a Microsoft SQL Server Auditing Object.

You can create an audit specification at the server level or at the database level. Depending on your requirements, you might require both a server and database audit specification.

  1. From the Microsoft SQL Server Management Studio navigation menu, select one of the following options:
    • Security > Server Audit Specifications

    • <Database> > Security > Database Audit Specifications

  2. Right-click Server Audit Specifications, and then select one of the following options:
    • New Server Audit Specifications

    • New Database Audit Specifications

  3. In the Name field, type a name for the new audit file.
  4. From the Audit list, select the audit object that you created.
  5. In the Actions pane, add actions and objects to the server audit.
  6. Click OK.
  7. Right-click your server audit specification and select one of the following options:
    • Enable Server Audit Specification

    • Enable Database Audit Specification

Creating a Microsoft SQL Server Database View

Create the dbo.AuditData database view to allow JSA to poll for audit events from a database table by using the JDBC protocol. The database view contains the audit events from your server audit specification and database audit specification.

  1. From the Microsoft SQL Server Management Studio toolbar, click New Query.
  2. Type the following Transact-SQL statement:

    For example:

  3. From the Standard toolbar, click Execute.

Configuring a Microsoft SQL Server Log Source

Use this procedure if your JSA Console did not automatically discover the Microsoft Windows Security Event log source.

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Log Sources icon.
  4. Click the Add button.
  5. From the Log Source Type list, select Microsoft SQL Server.
  6. From the Protocol Configuration list, select JDBC or WinCollect.
  7. Optional. If you want to configure events for JDBC, configure the following Microsoft SQL Server log source parameters:

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source in the following format:

    <SQL Database>@<SQL DB Server IP or Host Name>

    Where:

    <SQL Database> is the database name, as entered in the Database Name parameter.

    <SQL DB Server IP or Host Name> is the hostname or IP address for this log source, as entered in the IP or Hostname parameter.

    Database Type

    From the list, select MSDE.

    Database Name

    Type Master as the name of the Microsoft SQL database.

    IP or Hostname

    Type the IP address or host name of the Microsoft SQL server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Microsoft SQL database. The Microsoft SQL database must have incoming TCP connections that are enabled to communicate with JSA.

    Note: If you define a Database Instance when you are using MSDE as the Database Type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name to access the SQL database.

    Password

    Type the password to access the SQL database.

    Confirm Password

    Type the password to access the SQL database.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows, you must define a Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Note: If you have a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank.

    Table Name

    Type dbo.AuditData as the name of the table or view that includes the audit event records.

    Select List

    Type * for all fields from the table or view.

    You can use a comma-separated list to define specific fields from tables or views. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be a maximum of 255 characters. You can include the special characters, dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).

    Compare Field

    Type event_time in the Compare Field parameter. The Compare Field identifies new events that are added between queries, in the table.

    Start Date and Time

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Use Prepared Statements

    Select this check box to use prepared statements

    Prepared statements allow the JDBC protocol source to set up the SQL statement, and then run the SQL statement many times with different parameters. For security and performance reasons, you might want to use prepared statements.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Polling Interval

    You can type a polling interval number. The polling interval is the amount of time between queries to the event table. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M, poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communications check box.

    If you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password, and not the database user name and password. Also, you must use the default Named Pipe.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name.

  8. <Optional>. If you want to configure events for WinCollect, see the JSA WinCollect User Guide.
  9. Click Save.
  10. On the Admin tab, click Deploy Changes.