Microsoft SQL Server sample event message
Use this sample event message to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Microsoft SQL Server sample message when you use the Syslog protocol
The following sample event message shows a Microsoft SQL Server Drop Login event.
event_time: "2019-02-11 13:17:32.0931454" sequence_number: "1" action_id: "DR" succeeded: "true" permission_bitmask: "00000000000000000000000000000000" is_column_permission: "false" session_id: "93" server_principal_id: "261" database_principal_id: "1" target_server_principal_id: "0" target_database_principal_id: "0" object_id: "280" class_type: "WL" session_server_principal_name: "test\testUser" server_principal_name: "test\testUser" server_principal_sid: "010500000000000515000000400A7B7284B93A98D9627B492A050000" database_principal_name: "dbo" target_server_principal_name: "" target_server_principal_sid: "null" target_database_principal_name: "" server_instance_name: "testInstance" database_name: "master" schema_name: "" object_name: "test\9testSIEMSQLread" statement: "DROP LOGIN [test\9testSIEMSQLread]" additional_information: "" file_name: "L:\Audit\Audit-20190201-185847_AAD06900-8725-43A2-A949-9F15D560395A_0_131938307626970000.sqlaudit" audit_file_offset: "35328" user_defined_event_id: "0" user_defined_information: "" audit_schema_version: "1" sequence_group_id: "8EDC9010D8D0294FB639D026C4CB2241" transaction_id: "1321291"
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | action_id + class_type |
Category | When the Microsoft SQL Server DSM parses this type of event, the Category value in QRadar is always MicrosoftSQL. |
Username | session_server_principal_name |
Log Source Time | event_time |