0 Replies Latest reply on Sep 14, 2018 9:49 AM by frak

    Best way to pull the audit info - dbo.AuditingEvents - into Splunk?


      We have configured solarwinds to audit config changes and login/out.  This data goes into the AuditingEvents table.


      In looking for how to get SW data into Splunk, I found two ways - setup a DB Connect SQL connection and query, or use a Splunk Add-on (https://splunkbase.splunk.com/app/3584/)


      The latter is setup to import three things:  the list of nodes, all alerts, and the output of a 'custom query' - for which we would query the AuditingEvents table  (as an aside, I don't understand why the add-on was written to ignore audit-able events without doing custom work)


      We decided to use DB Connect since it was just a simple query to get what we need (and no messing around with disabling components of the Add-on).  And then we went in circles for the rest of the day, thinking it was problems with SQL or similar.  It turns out the splunk DB Connect feature is glitchy, giving random time-out and (fake) permission denied messages even when permissions up to dbo were set.


      For obvious reasons I think we will go back to using the Add-on.


      What have other people used?


      This is the basic query we wrapped into a view to use (we also found that a stored procedure could not be used, as any command is wrapped in  "SELECT * FROM (   )" )

      select AuditEventID, TimeLoggedUTC, AccountID, typ.ActionTypeDisplayName, AuditEventMessage
      from dbo.AuditingEvents Ev
      inner join dbo.AuditingActionTypes typ
      on ev.ActionTypeID = typ.ActionTypeID