IBM QRadar

Hello all.

Currently, I am trying to integrate a SQL Server 2008 Standard edition to QRadar. Before QRadar Arcsights was used and we used the AuditTrace store procedure given by them. I am evaluating to take trc files to qradar but is needed a transformation before that. I have evaluated the following:

• Creating view referring trc files: no options because we cannot create a view
• Modify current store procedure to save trace files in plain text format: still reviewing but I do not see it feasible

Do you have any recommendations to achieve this?

Thanks!

------------------------------
Andres Arguelles
------------------------------

Hello all.

After working with the DBAs I have solved this defining a view using the SQL function fn_trace_gettable. I share with all of you if this could be useful to everyone in the community.

------------------------------
Andres Arguelles
------------------------------

Original Message:
Sent: Fri July 03, 2020 08:24 PM
From: Andres Arguelles
Subject: SQL Server trace file ingestion

Hello all.

Currently, I am trying to integrate a SQL Server 2008 Standard edition to QRadar. Before QRadar Arcsights was used and we used the AuditTrace store procedure given by them. I am evaluating to take trc files to qradar but is needed a transformation before that. I have evaluated the following:

• Creating view referring trc files: no options because we cannot create a view
• Modify current store procedure to save trace files in plain text format: still reviewing but I do not see it feasible

Do you have any recommendations to achieve this?

Thanks!

------------------------------
Andres Arguelles
------------------------------

Hi Andres,

Did you get any success with this? Can you please share the details here?

Thanks

------------------------------
Rameez Ali
------------------------------

Original Message:
Sent: Thu July 30, 2020 02:58 PM
From: Andres Arguelles
Subject: SQL Server trace file ingestion

Hello all.

After working with the DBAs I have solved this defining a view using the SQL function fn_trace_gettable. I share with all of you if this could be useful to everyone in the community.

------------------------------
Andres Arguelles

Original Message:
Sent: Fri July 03, 2020 08:24 PM
From: Andres Arguelles
Subject: SQL Server trace file ingestion

Hello all.

Currently, I am trying to integrate a SQL Server 2008 Standard edition to QRadar. Before QRadar Arcsights was used and we used the AuditTrace store procedure given by them. I am evaluating to take trc files to qradar but is needed a transformation before that. I have evaluated the following:

• Creating view referring trc files: no options because we cannot create a view
• Modify current store procedure to save trace files in plain text format: still reviewing but I do not see it feasible

Do you have any recommendations to achieve this?

Thanks!

------------------------------
Andres Arguelles
------------------------------