Microsoft SQL Server
The JSA DSM for Microsoft SQL Server collect SQL events by using the syslog, WinCollect Microsoft SQL, or JDBC protocol.
The following table identifies the specifications for the Microsoft SQL Server DSM:
Table 1: Microsoft SQL Server DSM
RPM file name
2008, 2012, and 2014 (Enterprise editions only)
syslog, JDBC, WinCollect
JSA recorded event types
SQL error log events
Microsoft website (http://www.microsoft.com/en-us/server-cloud/products/sql-server/)
You can integrate Microsoft SQL Server with JSA by using one of the following methods:
To integrate the Microsoft SQL Server DSM with JSA, use the following steps:
If automatic updates are not enabled, download and install the most recent version of the Microsoft SQL Server RPM on your JSA Console.
For each instance of Microsoft SQL Server, configure your Microsoft SQL Server appliance to enable communication with JSA.
If JSA does not automatically discover the Microsoft SQL Server log source, create a log source for each instance of Microsoft SQL Server on your network.
Microsoft SQL Server Preparation for Communication with JSA
To prepare Microsoft SQL Server for communication with JSA, you must create an audit object, audit specification, and database view.
Creating a Microsoft SQL Server Auditing Object
Create an auditing object to store audit events.
- Log in to your Microsoft SQL Server Management Studio.
- From the navigation menu, select Security > Audits.
- Right-click Audits and select New Audit.
- In the Audit name field, type a name for the new audit file.
- From the Audit destination list, select File.
- From the File path field, type the directory path for your Microsoft SQL Server audit file.
- Click OK.
- Right-click your audit object and select Enable Audit.
Creating a Microsoft SQL Server Audit Specification
Create an audit specification to define the level of auditing events that are written to an audit file.
You must create an audit object. See Creating a Microsoft SQL Server Auditing Object.
You can create an audit specification at the server level or at the database level. Depending on your requirements, you might require both a server and database audit specification.
- From the Microsoft SQL Server Management Studio navigation
menu, select one of the following options:
Security > Server Audit Specifications
<Database> > Security > Database Audit Specifications
- Right-click Server Audit Specifications, and
then select one of the following options:
New Server Audit Specifications
New Database Audit Specifications
- In the Name field, type a name for the new audit file.
- From the Audit list, select the audit object that you created.
- In the Actions pane, add actions and objects to the server audit.
- Click OK.
- Right-click your server audit specification and select
one of the following options:
Enable Server Audit Specification
Enable Database Audit Specification
Creating a Microsoft SQL Server Database View
Create the dbo.AuditData database view to allow JSA to poll for audit events from a database table by using the JDBC protocol. The database view contains the audit events from your server audit specification and database audit specification.
- From the Microsoft SQL Server Management Studio toolbar, click New Query.
- Type the following Transact-SQL statement:
create view dbo.AuditData as SELECT * FROM sys.fn_get_audit_file ('<Audit File Path and Name>',default,default); GOa
create view dbo.AuditData as SELECT * FROM sys.fn_get_audit_file ('C:\inetpub\logs\SQLAudits*’,default,default); GO
- From the Standard toolbar, click Execute.
Configuring a Microsoft SQL Server Log Source
Use this procedure if your JSA Console did not automatically discover the Microsoft Windows Security Event log source.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click the Add button.
- From the Log Source Type list, select Microsoft SQL Server.
- From the Protocol Configuration list, select JDBC or WinCollect.
- Optional. If you want to configure events for JDBC, configure the following Microsoft SQL Server log source parameters:
Log Source Identifier
Type the identifier for the log source in the following format:
<SQL Database>@<SQL DB Server IP or Host Name>
<SQL Database> is the database name, as entered in the Database Name parameter.
<SQL DB Server IP or Host Name> is the hostname or IP address for this log source, as entered in the IP or Hostname parameter.
From the list, select MSDE.
Type Master as the name of the Microsoft SQL database.
IP or Hostname
Type the IP address or host name of the Microsoft SQL server.
Type the port number that is used by the database server. The default port for MSDE is 1433.
The JDBC configuration port must match the listener port of the Microsoft SQL database. The Microsoft SQL database must have incoming TCP connections that are enabled to communicate with JSA.
Note: If you define a Database Instance when you are using MSDE as the Database Type, you must leave the Port parameter blank in your configuration.
Type the user name to access the SQL database.
Type the password to access the SQL database.
Type the password to access the SQL database.
If you select MSDE as the Database Type and the database is configured for Windows, you must define a Window Authentication Domain. Otherwise, leave this field blank.
Note: If you have a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank.
Type dbo.AuditData as the name of the table or view that includes the audit event records.
Type * for all fields from the table or view.
You can use a comma-separated list to define specific fields from tables or views. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be a maximum of 255 characters. You can include the special characters, dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).
Type event_time in the Compare Field parameter. The Compare Field identifies new events that are added between queries, in the table.
Start Date and Time
The Start Date and Time parameter must be formatted as yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Use Prepared Statements
Select this check box to use prepared statements
Prepared statements allow the JDBC protocol source to set up the SQL statement, and then run the SQL statement many times with different parameters. For security and performance reasons, you might want to use prepared statements.
Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
You can type a polling interval number. The polling interval is the amount of time between queries to the event table. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M, poll in seconds.
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.
Use Named Pipe Communication
Clear the Use Named Pipe Communications check box.
If you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password, and not the database user name and password. Also, you must use the default Named Pipe.
Database Cluster Name
If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name.
- <Optional>. If you want to configure events for WinCollect, see the JSA WinCollect User Guide.
- Click Save.
- On the Admin tab, click Deploy Changes.