GFI
English Deutsch Français Italiano Nederlands Español
Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Events Manager SQL Server Audit

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Network Security] >> GFI EventsManager >> Events Manager SQL Server Audit Page: [1]
Login
Message << Older Topic   Newer Topic >>
Events Manager SQL Server Audit - 20.Aug.2008 9:55:51 PM   
AngieF

 

Posts: 5
Score: 0
Joined: 20.Aug.2008
Status: offline 		I am having problems getting this going.
I have SQL server installed on my monitoring machine. It runs perfectly for all other monitoring or log gathering except the Microsoft SQL Server Audit.
I have looked at the log files and only have one sqlcollector* file in the debug directory. This appears on first install and then does not change or others do not appear, even when I change setting for the sql servers being monitored.
Here is what some of the log file looks like. It appears to start ok

Date
Time
Miliseconds
Log level
Process ID
Thread ID
Event Type
Source 
Method
Description

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Start reading the mappings file..

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value INTERNALEVENTID
id 
db name: ESM_ID

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value SECURITYCATEGORY
id 
db name: PC_ALERT_LEVEL

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value INWORKHOURS
id 
db name: IN_WORK_HOURS

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value ESMINSTANCE
id 
db name: ESM_INSTANCE_ID

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value RULENAME
id 
db name: RULE_NAME

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value DATE
id 
db name: DATE

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value TIME
id 
db name: TIME

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value SERVER
id 
db name: SERVER

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value EVENTCLASS
id 
db name: EVENT_CLASS

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value TEXTDATA
id 
db name: TEXT_DATA

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value APPLICATIONNAME
id 

db name: APPLICATION_NAME


This is the last line with a db name filled in
21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value STATE
id 
db name: STATE

Then it comes to this at the end
21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
InitMapings
Reading value OBJECTTYPE
id 
db name: 

21/08/2008
13:13:04
456
10
1054
10ac
info
SQLCollector.dll
Initialize
Opened the connection to the database

21/08/2008
13:13:04
456
0
1054
10ac
error
SQLCollector.dll
Initialize

Cannot create recordset

I have checked my SQL Security going to the database and tried both Windows domain account and our sa account.
The database is on another database server not on the monitoring machine. It is running 64bit SQL. I have tried it also on a 32bit SQL Server as well.

Can you tell me what I am not doing?

I am at build 8.1.0 20080702
 
Cheers
Angie 

< Message edited by AngieF -- 20.Aug.2008 9:58:04 PM >
Post #: 1
RE: Events Manager SQL Server Audit - 20.Aug.2008 10:15:48 PM   
AngieF

 

Posts: 5
Score: 0
Joined: 20.Aug.2008
Status: offline 		I enabled debugging as per the general thread instructions.
Am now getting at the end. It seems to be able to connect.....
21/08/2008
 14:10:38
722
1314
 fb0
1720
 info
 SQLCollector.dll
 ProcessData
 Stop scan detected...
Cheers
Angie 

(in reply to AngieF)
Post #: 2
RE: Events Manager SQL Server Audit - 22.Aug.2008 9:20:34 AM   
DrewE

 

Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Angie,

First, Please ensure you are running the latest build of our software.  Then, try creating a new GFI EventsManager database.  I would recommend creating it with, and continue using the sa account here.  

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to AngieF)
Post #: 3
RE: Events Manager SQL Server Audit - 11.Sep.2008 8:59:13 PM   
AngieF

 

Posts: 5
Score: 0
Joined: 20.Aug.2008
Status: offline 		Thanks for the reply Drew.
I have been passed a kbase article (http://kbase.gfi.com/showarticle.asp?id=KBID003389) stating that SQL Audit will not run under XP SP3? Does this include Windows Server 2003 SP2?
I uninstalled SP3 on the pc and still no luck.
I have the Events Manager installed on a server trying to get it to work and still no luck also.
I still get the message at the bottom of ProcessData, Stop scan Detected in the SQLCollector* log.
Do I need to reinstall all the SQL components again also? The build I have is 20080902. I have also created a new database with the new build.

Cheers Angie

< Message edited by AngieF -- 11.Sep.2008 9:01:33 PM >

(in reply to DrewE)
Post #: 4
RE: Events Manager SQL Server Audit - 12.Sep.2008 9:00:42 AM   
DrewE

 

Posts: 476
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Angie,

What version (SQL 2000 or SQL 2005) and edition (Standard, Express, etc.) of MS SQL are you using?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to AngieF)
Post #: 5
RE: Events Manager SQL Server Audit - 14.Sep.2008 4:28:15 PM   
AngieF

 

Posts: 5
Score: 0
Joined: 20.Aug.2008
Status: offline 		I have both SQL Express 2005 and the Developer 2005 Versions. I also have SQL 2000 installed on the same machine.

On the Win2K3 server that I tried, I only have the Developer 2005 Version.

Cheers
Angie

(in reply to DrewE)
Post #: 6
RE: Events Manager SQL Server Audit - 15.Sep.2008 11:52:44 PM   
AngieF

 

Posts: 5
Score: 0
Joined: 20.Aug.2008
Status: offline 		Hi Drew, this is resolved now.

It looks to be our key, it was working and then after an update to 8.1, it stopped.
Did not really think about it being the key.
After doing some testing with our Vendor Delta Technologies NZ we got it working with another key. Two minute job really, unfortunately I have spent months on this...  anyway all fixed.
I believe a new one is on its way.

Thanks for your input
Appreciated
Cheers
Angie   

(in reply to AngieF)
Post #: 7
Page:   [1]
All Forums >> [Network Security] >> GFI EventsManager >> Events Manager SQL Server Audit Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


   © 2008. All rights reserved. GFI Software Home Products Download Trials Support Ordering Site Map About Us Contact us
GFI solutions: Exchange anti spam filter - exchange anti virus - isa server - network vulnerability scanner - event log management - USB security software - exchange archiving - fax server software