Getting log sources to show up as multiple sources


Getting log sources to show up as multiple sources

J

Hi 

We are testing logbinder for SQL and have a small problem.

We are collecting logs from a SQL and are sending them to a Qradar, the Qradar does however see the events coming from the Logbinder server (that is not the same as the SQL server).

The reason for that is Qradar can’t identify a log source within the event, it usually does that with an IP and there are not any source IP in the event. Have you seen the problem before and maybe have a workaround?

Since we would like the Logbinder for SQL to have multiple inputs from several SQL servers we would like to identify every source on its own.

Regards Jan
Tamas Lengyel

Jan - 10/24/2017
Hi 

We are testing logbinder for SQL and have a small problem.

We are collecting logs from a SQL and are sending them to a Qradar, the Qradar does however see the events coming from the Logbinder server (that is not the same as the SQL server).

The reason for that is Qradar can’t identify a log source within the event, it usually does that with an IP and there are not any source IP in the event. Have you seen the problem before and maybe have a workaround?

Since we would like the Logbinder for SQL to have multiple inputs from several SQL servers we would like to identify every source on its own.

Regards Jan

Hi Jan,

LOGbinder includes the source in each LOGbinder for SQL Server event. I assume you use the LEEF format for QRadar, so look for the vSourceName field for this information.

J

Tamas Lengyel - 10/24/2017
Jan - 10/24/2017
Hi 

We are testing logbinder for SQL and have a small problem.

We are collecting logs from a SQL and are sending them to a Qradar, the Qradar does however see the events coming from the Logbinder server (that is not the same as the SQL server).

The reason for that is Qradar can’t identify a log source within the event, it usually does that with an IP and there are not any source IP in the event. Have you seen the problem before and maybe have a workaround?

Since we would like the Logbinder for SQL to have multiple inputs from several SQL servers we would like to identify every source on its own.

Regards Jan

Hi Jan,

LOGbinder includes the source in each LOGbinder for SQL Server event. I assume you use the LEEF format for QRadar, so look for the vSourceName field for this information.

Hi

I see it in the event but it is not parsed as the log source identifier.

It is not part of the Qradar documentation so i assumed that it would be part of the DSM.

<46>okt 25 09:18:11 193.9.192.23 LEEF:1.0|LOGbinder|SQL|3.0|24001 - Login succeeded|message=A principal successfully logged in to SQL server  actiongroup=SUCCESSFUL_LOGIN_GROUP  devTime=okt 25 2017 09:18:11 GMT  devTimeFormat=MMM dd yyyy HH:mm:ss z  usrName=DOMAIN\\test  sessionid=132  targetobjectid=2  targetobjectname=DOMAIN\\testservice  targetobjecttype=Login  setoptions=-- network protocol: TCP/IP; set quoted_identifier on; set arithabort off; set numeric_roundabort off; set ansi_warnings on; set ansi_padding on; set ansi_nulls on; set concat_null_yields_null on; set cursor_close_on_commit off; set implicit_transactions off; set language us_english; set dateformat mdy; set datefirst 7; set transaction isolation level read committed  additionalinformation=<action_info xmlns\="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0002f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>193.9.193.42</address><is_dac>0</is_dac></action_info>  vSourceName=DKCPH-SQL2  support=For more information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=24001


Tamas Lengyel

Jan - 10/25/2017
Tamas Lengyel - 10/24/2017
Jan - 10/24/2017
Hi 

We are testing logbinder for SQL and have a small problem.

We are collecting logs from a SQL and are sending them to a Qradar, the Qradar does however see the events coming from the Logbinder server (that is not the same as the SQL server).

The reason for that is Qradar can’t identify a log source within the event, it usually does that with an IP and there are not any source IP in the event. Have you seen the problem before and maybe have a workaround?

Since we would like the Logbinder for SQL to have multiple inputs from several SQL servers we would like to identify every source on its own.

Regards Jan

Hi Jan,

LOGbinder includes the source in each LOGbinder for SQL Server event. I assume you use the LEEF format for QRadar, so look for the vSourceName field for this information.

Hi

I see it in the event but it is not parsed as the log source identifier.

It is not part of the Qradar documentation so i assumed that it would be part of the DSM.

<46>okt 25 09:18:11 193.9.192.23 LEEF:1.0|LOGbinder|SQL|3.0|24001 - Login succeeded|message=A principal successfully logged in to SQL server  actiongroup=SUCCESSFUL_LOGIN_GROUP  devTime=okt 25 2017 09:18:11 GMT  devTimeFormat=MMM dd yyyy HH:mm:ss z  usrName=DOMAIN\\test  sessionid=132  targetobjectid=2  targetobjectname=DOMAIN\\testservice  targetobjecttype=Login  setoptions=-- network protocol: TCP/IP; set quoted_identifier on; set arithabort off; set numeric_roundabort off; set ansi_warnings on; set ansi_padding on; set ansi_nulls on; set concat_null_yields_null on; set cursor_close_on_commit off; set implicit_transactions off; set language us_english; set dateformat mdy; set datefirst 7; set transaction isolation level read committed  additionalinformation=<action_info xmlns\="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0002f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>193.9.193.42</address><is_dac>0</is_dac></action_info>  vSourceName=DKCPH-SQL2  support=For more information, see http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=24001


Hi, thank you for your feedback and for the event example.

I am not a QRadar expert. Would it be possible for you to configure QRadar to get that information from the vSourceName field? Or could you reach out to QRadar support about it?

Please let us know. Thanks.

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search