IBM Support

QRadar: Microsoft SQL Server account privileges are required for logging events in QRadar

Question & Answer


Question

What permissions do we need on a Microsoft SQL Server to allow QRadar to query the AuditData table?

Cause

Insufficient privileges granted to the SQL user account will cause QRadar to be unable to collect events from Microsoft SQL Server.

Answer

Before you begin: This configuration is for Microsoft SQL Server 2008 - 2012. Check your SQL Server documentation for other revisions.

The Microsoft SQL Server Log Source requires a user with the SELECT privilege on dbo.AuditData view. Per our DSM Guide, the dbo.AuditData view is created based on the sys.fn_get_audit_file function, which requires CONTROL SERVER permissions.

The fact that the user in question cannot query the view might be due to insufficient permissions granted.

For more information please reference the, Microsoft Library - sys.fn_get_audit_file .
 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 April 2020

UID

swg21989944