Does Guardium has a feature to collect and report Windows system/user/application/Security events?
If it does how to configure this? If not built in feature are there any workarounds so that we get to see these events in central Guardium reports together with DB Reports.
This is really helpful during event correlation.
Pinned topic Capturing windows events through Guardium
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-23T19:06:22Z at 2012-11-23T19:06:22Z by zbychfish
PrashantMadhyasta 270004GDV411 Posts
Re: Capturing windows events through Guardium2012-01-09T14:14:39ZThis is the accepted answer. This is the accepted answer.
I would be interested in seeing this document as well. Could you send to me also at firstname.lastname@example.org
Re: Capturing windows events through Guardium2012-01-30T14:46:33ZThis is the accepted answer. This is the accepted answer.
I'm interesting to know about that too. Can you email to me at email@example.com?
All the while I only know Guardium is to capture the database activities but didn't know it can also capture the events from Windows machine. I thought only the log management or SIEM can do that. Glad you have the solution and can share.
QTE0_Rodrigo_Bisbal 270003QTE02 Posts
Re: Capturing windows events through Guardium2012-02-01T02:32:21ZThis is the accepted answer. This is the accepted answer.Guardium has the ability to meet this requirement. You have to install the CAS option on the database server. The CAS option, besides auditing changes to the files and libraries that make up a database, has the ability to run scripts at the OS level and capture the output of these scripts.
The security events you need are stored in the Windows EventLog. So we need a script that CAS can fire that scans the EventLog for the types of events you need to audit. Typical examples of these are: AD logins, failed logins, new accounts, deprecated accounts, SQL Server Startup or Shutdown or any other event.These are different Event types you can filter by, for MS-SQL events use "Application", for login failures use "Security", etc.
I have attached a detailed document explaining this and with some real life perl code samples that you can use as is or modify to suit your project.
Note that the latest Windows S-Tap comes with Perl with the module to read the Event Log. For older version you have to install Perl on the Windows server.
Re: Capturing windows events through Guardium2012-11-21T05:57:16ZThis is the accepted answer. This is the accepted answer.Hi All,
Please Can anyone give me some log samples that guardium generated...Please send me sample on my mail id firstname.lastname@example.org
Thanks in advance,
zbychfish 270001PYGX8 Posts
Re: Capturing windows events through Guardium2012-11-23T19:06:22ZThis is the accepted answer. This is the accepted answer.The method presented in the answer inside the thread relies on CAS and in many situations doesn't allow parse data similar to other DB events.
Actually Guardium (V9) provides the Universal Feed. Depend on requirements you can push to collector any external security events using standard G9 schema or create own set of attributes (custom domain).