Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Administration
 SQL server & SIEM

Author  Topic 

antonisg
Starting Member

4 Posts

Posted - 2014-09-02 : 03:28:22
Hi,

I'm a system admin and I try to configure IBM Qradar (SIEM) with a dozen of SQL servers I have. They are not the same version varying from 2000 to 2012. The Qradar takes information only from ERRORLOG which is produced only by errors from a security level and above.
I wonder If I can configure ERRORLOG to include other actions in db level (like Drop Table, Delete DB, Create Table etc) in order to have this information passed to Qradar. You think this is a good idea or I have to create a new script?

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2014-09-02 : 14:49:52
You'll need a DDL trigger for that. You can have them log to the Error Log via RAISERROR. DDL triggers were not available in version 2000 though. If you want to implement it there, you've got a much larger task. I'd skip 2000 if I were you...

Tara Kizer
SQL Server MVP since 2007
http://weblogs.sqlteam.com/tarad/
Go to Top of Page

antonisg
Starting Member

4 Posts

Posted - 2014-09-03 : 03:53:03
Actually the older versions will be upgraded to newer like 2008. I will search for RAISERROR if this is a solution. You have any other option for newer versions? thank you
Go to Top of Page

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2014-09-03 : 12:23:35
You need to search for DDL triggers. Instead the DDL trigger is where you'd use RAISERROR to log an event in the Error Log.

Tara Kizer
SQL Server MVP since 2007
http://weblogs.sqlteam.com/tarad/
Go to Top of Page

antonisg
Starting Member

4 Posts

Posted - 2014-09-09 : 06:31:39
In SQL server 2008 only using powershell I can create triggers? I right click in DB triggers and only Start Powershell option is possible. No "create new trigger" exist.
Go to Top of Page

tkizer
Almighty SQL Goddess

38200 Posts

Posted - 2014-09-09 : 12:32:53
I don't know where you are clicking. You just need to open a new query window and write your trigger there.

There are some examples here: http://technet.microsoft.com/en-us/library/ms186406(v=sql.105).aspx

Tara Kizer
SQL Server MVP since 2007
http://weblogs.sqlteam.com/tarad/
Go to Top of Page

antonisg
Starting Member

4 Posts

Posted - 2014-09-15 : 09:32:56
ok... thx. I managed to create triggers to collect some events in the ERRORLOG.
Go to Top of Page
   

- Advertisement -