Database Administration Monitoring

Configuring Snare MSSQL for the Collector

The Snare Agent for MSSQL tracks and monitors all database administrative activity from a Microsoft SQL Server to a remote Snare Server. This allows Linux machines to access Microsoft SQL data. In order to have the Collector ingest logs from the Microsoft SQL Server, the logs must be exported from the Snare MSSQL Agent.

InsightIDR currently supports collection of SQL Server logs through the Snare MSSQL Agent. To learn more about the Snare agent software, visit their website.

Installation

To install the Snare MSSQL agent, currently version 5.0, perform the following steps:

  1. Download an evaluation copy of Snare MSSQL Agent. The evaluation copy is functional for 45 days. You can download a free, open-source version of Snare here.
  2. Once an evaluation link is obtained, follow the instructions to install the Agent.
  3. Enter the appropriate credentials to access the SQL Server you wish to monitor. Once installed, you may access the Snare application through your browser on port 6163 by default.

Configure an Objective

Configure an objective that monitors the desired events in your SQL Server.

  1. Click Objectives Configuration.
  2. Enter information for your SQL instance. Take full advantage of InsightIDR monitoring capabilities by entering the information as displayed in the following screen capture.
  3. In the Network Configuration tab, set your logs to flow to the Collector. To do so, point the Destination Snare Server Address to your Collector. Take note of the Destination Port. It will be used in InsightIDR.
  4. Go to the Apply the Latest Audit Configuration tab to apply your new settings. After SQL activity has occurred, you should observe events on the Latest Events tab.

Troubleshooting

If you are not seeing events on the Latest Events tab of the Snare interface, ensure these three statements are true in your environment:

  1. The service account that runs the Snare Agent needs to have local administrative rights.
  2. The service account must also have the sysadmin role in the SQL Server.
  3. The agent must be able to write to the trace file location configured in the network settings.

For Windows 2012 systems, this must a location other than the default C:\Program Files\SNARE MSSQL

Database Administration Monitoring