Database logging event source onboarding

Previously using Default Trace in SQL Server to write the trace logs into the log folder in the SQL Server Data Directory. == Share the folder logs and the trace file to specific users - like sqlsrv
Snare’s Epilog pulled the data from the trace files then sends it to snare and Snare sent to previous SIEM.
Can this be done neater and cleaner with just the IDR agent or is NXLog necessary?


We are taking the same path currently. There is a specific log source defined by Rapid7 which is using Remote WMI and Distributed COM to read the forwarded SQL Events from the Windows Event Log. They have pretty detailed instruction in their log source configuration documentation, but I want to add a missing part: the account configured to read the event logs, must be added to the local Distributed COM users group and to be added as security principle in WMI\CIMv2 with Remote Enable and Remote Execute permissions.

Here’s the article: Microsoft SQL Database Audit Logs | InsightIDR Documentation

If you have any question ask away.

Good luck,


1 Like