Home Forums SQL Server 2012 SQL 2012 - General sql server audit .trc pipe to Arcsight RE: sql server audit .trc pipe to Arcsight

  • January 22, 2017 at 12:41 am

    #1924236

    K. Brian Kelley - Friday, January 20, 2017 7:35 AM

    If you've configured successful or failed logins monitoring for the SQL Server, the information will be written in the SQL Server logs as well as the OS' Application event log. There are specific event IDs for those login attempts. Arcsight can pick up on those.

    What else do you need to audit and get into the SIEM?

    from what i see, there is some store procedures created in the instances that also capture activities like DDL and auditing the higher privg like with sysadmin.
    So those are not written to the OS application logs? And need to be config in Arcsight? is SIEM Arcsight? I need to understand what is happening inbetween sql server and arcsight. 

    So i need to tell Arcsight to collect those extra DDL auditing trc and then config some sort of filter in arcsight and then generate report?