Up
Previous Next

Sheriff CSMâ„¢

Microsoft SQL Server through NXLog

When you configure Microsoft SQL Server to send log data to Sheriff CSM, you can use the MSSQL Server NXLog plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Microsoft
Device Type Database server
Connection Type Syslog
Data Source Name mssql-nxlog
Data Source ID 1849

Integrating Microsoft SQL Server and NXLog

Before configuring NXLog in Sheriff CSM, you must have enabled the SQL Server Audit feature and send audit results to the Windows Application Log.

Create a Server Audit and Database Audit Specification

Note: You can use SQL Server Management Studio or Microsoft Transact-SQL (T-SQL) to perform this task. See the Microsoft documentation if you need detailed step-by-step assistance.

To use the SQL Server Management Studio

  1. Create a new server audit:

    1. In Object Explorer, expand the Security folder, right-click the Audits folder, and select New Audit.
    2. In the Audit destination list, select Application Log.
    3. Select the other options as needed and click OK.

  2. Create a database-level audit specification

    1. In Object Explorer, expand the database you want to send log to Sheriff CSM.
    2. Expand the Security folder, right-click the Database Audit Specifications folder and select New Database Audit Specification.
    3. In the Audit list, select the audit you created in the previous step.
    4. Select the other options as needed and click OK.

Configure NXLog on Windows

To send log data through NXLog to Sheriff CSM

  1. If not done already, download nxlog.conf, and then place it in the conf directory of your NXLog installation. Depending on which version you use, the directory can be C:\Program Files (x86)\nxlog\conf for the 32-bit version or C:\Program Files\nxlog\conf for the 64-bit version.

    Note: This step overwrites the default nxlog.conf file. You may want to back up the original copy before placing the one provided by AT&T Cybersecurity.

  2. Open the nxlog.conf file in a text editor.

  3. Update the root path of your NXLog installation.

    1. Locate the following lines:

      #define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
    2. Uncomment the path that matches the NXLog installation on your Windows machine.

  4. Enter the Sheriff CSM Sensor (Deputy) IP address.

    1. Locate the following line:

      define OUTPUT_DESTINATION_ADDRESS <Sheriff-CSM-Sensor-IP>
    2. Replace <Sheriff-CSM-Sensor-IP> with the IP address of the Sheriff CSM All-in-One or Sheriff CSM Sensor that will receive the Windows events.

  5. Uncomment the section between MSSQL-NXLOG and /MSSQL-NXLOG.

    Important: Only remove the first # symbol in each line when uncommenting the sections. The remaining # symbol indicates that the line is either a comment or optional.

  6. Save the file.

  7. Start or restart the NXLog service.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

If enabling the plugin on assets, you will find it listed as Microsoft : SQL Server : NXLog.

Enabling the mssql-nxlog plugin from asset

Additional Resources and Troubleshooting

NXLog documentation on forwarding and storing logs

For troubleshooting, refer to the vendor documentation:

NXLog documentation on troubleshooting

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > DeploymentGuide > PluginManagement > ConfigureLogForwardingOnCommonlyUsedDataSources > NXLogPlugins > MicrosoftSQLServerThroughNXLog
Topic revision: 29 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.