Topic
  • 8 replies
  • Latest Post - ‏2012-11-23T19:06:22Z by zbychfish
PrashantMadhyasta
PrashantMadhyasta
11 Posts

Pinned topic Capturing windows events through Guardium

‏2011-09-30T20:38:27Z |
Does Guardium has a feature to collect and report Windows system/user/application/Security events?
If it does how to configure this? If not built in feature are there any workarounds so that we get to see these events in central Guardium reports together with DB Reports.

This is really helpful during event correlation.
Updated on 2012-11-23T19:06:22Z at 2012-11-23T19:06:22Z by zbychfish
  • rsubramani@us.ibm.com
    30 Posts

    Re: Capturing windows events through Guardium

    ‏2011-11-04T11:43:38Z  
    HI Prashant:

    I have some documentation on this. I will finalize it and send you the URL.

    Thanks,
    Ravi.
  • PrashantMadhyasta
    PrashantMadhyasta
    11 Posts

    Re: Capturing windows events through Guardium

    ‏2011-11-10T10:58:22Z  
    HI Prashant:

    I have some documentation on this. I will finalize it and send you the URL.

    Thanks,
    Ravi.
    Thanks so much, I am eagerly waiting for this useful info.
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Capturing windows events through Guardium

    ‏2012-01-09T14:14:39Z  
    HI Prashant:

    I have some documentation on this. I will finalize it and send you the URL.

    Thanks,
    Ravi.
    Ravi
    I would be interested in seeing this document as well. Could you send to me also at bkratz@us.ibm.com
    Thanks
    Bruce
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Capturing windows events through Guardium

    ‏2012-01-30T14:46:33Z  
    HI Prashant:

    I have some documentation on this. I will finalize it and send you the URL.

    Thanks,
    Ravi.
    Hi,

    I'm interesting to know about that too. Can you email to me at tsteh@comwise.com.my?

    All the while I only know Guardium is to capture the database activities but didn't know it can also capture the events from Windows machine. I thought only the log management or SIEM can do that. Glad you have the solution and can share.

    regards,
    Teh
  • QTE0_Rodrigo_Bisbal
    QTE0_Rodrigo_Bisbal
    2 Posts

    Re: Capturing windows events through Guardium

    ‏2012-02-01T02:32:21Z  
    Guardium has the ability to meet this requirement. You have to install the CAS option on the database server. The CAS option, besides auditing changes to the files and libraries that make up a database, has the ability to run scripts at the OS level and capture the output of these scripts.

    The security events you need are stored in the Windows EventLog. So we need a script that CAS can fire that scans the EventLog for the types of events you need to audit. Typical examples of these are: AD logins, failed logins, new accounts, deprecated accounts, SQL Server Startup or Shutdown or any other event.These are different Event types you can filter by, for MS-SQL events use "Application", for login failures use "Security", etc.

    I have attached a detailed document explaining this and with some real life perl code samples that you can use as is or modify to suit your project.

    Note that the latest Windows S-Tap comes with Perl with the module to read the Event Log. For older version you have to install Perl on the Windows server.
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Capturing windows events through Guardium

    ‏2012-02-01T04:02:19Z  
    Guardium has the ability to meet this requirement. You have to install the CAS option on the database server. The CAS option, besides auditing changes to the files and libraries that make up a database, has the ability to run scripts at the OS level and capture the output of these scripts.

    The security events you need are stored in the Windows EventLog. So we need a script that CAS can fire that scans the EventLog for the types of events you need to audit. Typical examples of these are: AD logins, failed logins, new accounts, deprecated accounts, SQL Server Startup or Shutdown or any other event.These are different Event types you can filter by, for MS-SQL events use "Application", for login failures use "Security", etc.

    I have attached a detailed document explaining this and with some real life perl code samples that you can use as is or modify to suit your project.

    Note that the latest Windows S-Tap comes with Perl with the module to read the Event Log. For older version you have to install Perl on the Windows server.
    Thanks a lot for the sharing.
  • SystemAdmin
    SystemAdmin
    483 Posts

    Re: Capturing windows events through Guardium

    ‏2012-11-21T05:57:16Z  
    Hi All,
    Please Can anyone give me some log samples that guardium generated...Please send me sample on my mail id shaileshpawar1711@gmail.com

    Thanks in advance,
    Shailesh
  • zbychfish
    zbychfish
    8 Posts

    Re: Capturing windows events through Guardium

    ‏2012-11-23T19:06:22Z  
    The method presented in the answer inside the thread relies on CAS and in many situations doesn't allow parse data similar to other DB events.
    Actually Guardium (V9) provides the Universal Feed. Depend on requirements you can push to collector any external security events using standard G9 schema or create own set of attributes (custom domain).