question

Olga-1720 avatar image
0 Votes"
Olga-1720 asked Olga-1720 commented

How to monitor on-prem MS SQL transactions with Sentinel?

Hi all,

My question is short, how can I forward MS SQL server (on-prem) transaction data to Azure Sentinel (or Log Monitor)? I've found only this: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 but it's for Audit, not for transactions.

sql-server-generalazure-monitormicrosoft-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Olga-1720 We do not monitor SQL transaction via Sentinel. If you think this add value and have proper business requirement, raise a user voice for sentinel at https://feedback.azure.com/forums/920458-azure-sentinel

1 Vote 1 ·

Got it. Thank you

0 Votes 0 ·
Criszhan-msft avatar image
0 Votes"
Criszhan-msft answered Olga-1720 commented

Hi,

Are you talking about the SQL Server database transaction log itself, this may not be possible using Azure Sentinel.
The blog you provided introduces the use of Audit to record changes to the database and ingesting SQL Server Audit events into Azure Sentinel.

Because SQL Server transaction log positioning is not for user behavior monitoring and recording, but to ensure transaction consistency under the premise of minimal impact on performance, the content it records is for database services, not for users. So if you want to monitor user behavior, you still have to open SQL Server's own monitoring tools, such as SQL Trace or XEvents, Audit.

SQL Server provides a command DBCC LOG to read the log file, but the result is not intuitive. For more detailed information, you may need to use some third-party tools, such as ApexSQL Log.

If you want to make a backup of the database and transaction log files, you may need to consider HA/DR technologies, such as Always on availability groups, database mirroring, etc.

I am not familiar with Azure Sentinel, I talk this from the perspective of SQL Server.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I don't mean exactly transaction log itself but any ability to forward transactions to Sentinel. I was thinking about using SQL Server Profiler or something

0 Votes 0 ·
TomPhillips-1744 avatar image
0 Votes"
TomPhillips-1744 answered Olga-1720 commented

I am unclear as to your question. The blog you posted has a section:
Step 3 - Sending logs from SQL Server to Azure Sentinel using Microsoft Monitoring Agent.

Is this not working for you? Are you having a problem?

If you are having a problem with Azure Sentinel, the Azure forum is likely a better place for your questions.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The blog describes not the thing I exactly need, it was just the only one thing I've found about SQL and Azure. In the blog audit data is forwarded. But audit logs does not include transactions (select, update, etc..) which I need to see and analyze in Azure Sentinel.

0 Votes 0 ·

Azure Sentinel monitors the Windows Security log for security concerns. It is not for monitoring "activity" on the server.

0 Votes 0 ·

Yep, I know about Windows Security.
But if Sentinel supports custom logs why can't it ingest SQL transactions?

0 Votes 0 ·