# Copyright 2005 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # MS-SQL Application Event log parser # # DESCRIPTION: # Processes event logs from MS-SQL servers # # LAST UPDATED: $Date$ # NOTE - ID 3008 and below is part of the win2k_os_app.prm library id=3009 name=This MS SQL server encountered a pause request. match=ion match=Application match=pp match=,MSSQL match=lo match=ing match=,17144 : SQL Server is disallowing new connections due match=ect match=onnect match=onnection regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),17144 log=event:MSSQLSVR-Pause_Request type:restart srcip:$1 NEXT id=3010 name=This MS SQL server had a valid login. match=ion match=Application match=pp match=,MSSQL match=,18453 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),18453 log=event:MSSQLSVR-Login_Succeeded type:login srcip:$1 NEXT id=3011 name=This MS SQL server had a login failure. match=ion match=Application match=pp match=,MSSQL match=,18456 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),18456 log=event:MSSQLSVR-Login_Failed type:login-failure srcip:$1 NEXT id=3013 name=This MS SQL server received a stop request. match=ion match=Application match=pp match=,MSSQL match=,17148 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),17148 log=event:MSSQLSVR-Stop_Request type:restart srcip:$1 NEXT id=3015 name=This MS SQL server had a login access revoked. match=ion match=Application match=pp match=,MSSQL match=,15485 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15485 log=event:MSSQLSVR-Login_Access_revoked type:login-failure srcip:$1 NEXT id=3016 name=This MS SQL server could not revoke login access. match=ion match=Application match=pp match=,MSSQL regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15484 log=event:MSSQLSVR-Could_Not_Revoke_Login_Access type:error srcip:$1 NEXT id=3017 name=This MS SQL server had a failed login. match=ion match=Application match=pp match=,MSSQL match=,15483 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15483 log=event:MSSQLSVR-Login_Denied type:login-failure srcip:$1 NEXT id=3018 name=This MS SQL server had a shutdown. match=ion match=Application match=pp match=,MSSQL match=,6005 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),6005 log=event:MSSQLSVR-Shutdown type:restart srcip:$1 # NOTE - ID 3019 and above is part of the win2k_os_app.prm library NEXT id=28425 name=This MS SQL server had a valid login. match=ion match=Application match=pp match=,MSSQL match=ser match=Lo match=ce match=ed match=,Login succeeded for user ' regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Login succeeded for user .*?([a-zA-Z0-9._-]+)'.* \[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:login event:MSSQLSVR-Successful_Login sensor:$1 srcip:$4 dstip:$2 user:$3 NEXT id=28426 name=This MS SQL server had a trace started. match=,MSSQL match=ion match=Application match=pp match=ce match=ace match=,SQL Trace ID match=sta match=lo match=log match=ar match=ed match= was started by login " regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),SQL Trace ID 5 was started by login .*\\([a-zA-Z0-9._-]+)" log=type:application event:MSSQLSVR-Trace_Toggled sensor:$1 srcip:$2 user:$3 NEXT id=28427 name=This MS SQL server had a complete backup. match=,MSSQL match=ion match=Application match=pp match=ack match=Lo match=ed match=,Log was backed up. Database: regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Log_Backed_Up sensor:$1 srcip:$2 NEXT id=28428 name=This MS SQL server had its database checked. match=,MSSQL match=ion match=Application match=pp match=,DBCC CHECKDB (SQLcmArchive regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-CHECKDB sensor:$1 srcip:$2 NEXT id=28429 name=This MS SQL server had its database checked. match=,MSSQL match=ion match=Application match=pp match=AT match=,DBCC CHECKCATALOG (SQLcmArchive match=LO match=AL regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* executed by .*\\([a-zA-Z0-9._-]+) log=type:application event:MSSQLSVR-CHECKCATALOG sensor:$1 srcip:$2 user:$3 NEXT id=28430 name=This MS SQL server had its database restored. match=,MSSQL match=ion match=Application match=pp match=est match=ed match=,18267 : Database restored: Database: regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Database_Restored sensor:$1 srcip:$2 NEXT id=28431 name=This MS SQL server had an error. match=MSSQL match=ion match=Application match=pp match=rr match=Error regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:MSSQLSVR-Error sensor:$1 srcip:$2 NEXT id=28432 name=This MS SQL server completed its analysis. match=,MSSQL match=ion match=Application match=pp match=,3455 : Analysis of database ' match=ate match=le match=) is 100% complete (approximately 0 more seconds) regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Database_Analysis_Completed sensor:$1 srcip:$2 NEXT id=28433 name=This MS SQL server login failed. match=,MSSQL match=ion match=Application match=pp match=ser match=ail match=Lo match=le match=ed match=,Login failed for user ' regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Login failed for user.*\[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:login-failure event:MSSQLSVR-Login_Failed sensor:$1 srcip:$4 dstip:$2 NEXT id=28434 name=This MS SQL server login succeeded. match=,MSSQL match=ion match=Application match=pp match=CL match=lo match=EN match=[CLIENT: <local machine>] match=cal match=ser match=Lo match=ce match=ed match=,Login succeeded for user ' regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Login succeeded for user .*\\([a-zA-Z0-9._-]+)'.* \[CLIENT: (\<([a-zA-Z0-9]+) ([a-zA-Z0-9]+)\>)\] log=type:login event:MSSQLSVR-Login_Succeeded_For_Local_Machine sensor:$1 user:$3 srcip:$2 NEXT id=28435 name=This MS SQL server is showing that I/O is frozen on the database, although no user action is required, if I/O is not resumed promptly, you could cancel the backup. match=,MSSQL match=ion match=Application match=pp match=I/O is frozen on database match=ire match=ser match=ed match= No user action is required. regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+),I\/O is frozen on database log=type:error event:MSSQLSVR-Database_Frozen sensor:$1 srcip:$2 srcport:$3 NEXT id=28436 name=This MS SQL server is showing that I/O has resumed on the database, no user action is required. match=,MSSQL match=ion match=Application match=pp match=ed match=I/O was resumed on database match=ire match=ser match= No user action is required. regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+),I\/O was resumed on database log=type:application event:MSSQLSVR-Database_Unfrozen sensor:$1 srcip:$2 srcport:$3 NEXT id=28437 name=This MS SQL server is showing that database backed up and no user action is required. match=,MSSQL match=MSSQL match=Information match=Info match=ion match=Application match=pp match=ack match=ed match=up match=Data match=date match=tion match=Database backed up regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=type:application event:MSSQLSVR-Database_Backedup sensor:$1 srcip:$2 srcport:$3 NEXT id=28438 name=This MS SQL server is showing that a login packet used to open the connection is structurally invalid. match=,MSSQL match=ion match=Application match=pp match=The login packet match=connection is structurally invalid regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=type:error event:MSSQLSVR-Login_Invalid sensor:$1 srcip:$2 srcport:$3 NEXT id=28439 name=This MS SQL server is showing that the length specified in network packet payload did not match number of bytes read; the connection has been closed. match=,MSSQL match=ion match=Application match=pp match=payload did not match number of bytes read regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=type:error event:MSSQLSVR-Payload_Not_Matched sensor:$1 srcip:$2 srcport:$3 NEXT id=28440 name=This MS SQL server has issued an informational message only, no user action required. match=,MSSQL match=ion match=Application match=pp match=Info match=Information match=Server match=er match=ing match=in match=ee match=This instance match=has been using regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Info_Message sensor:$1 srcip:$2 NEXT id=28441 name=This MS SQL server has changed options, run the RECONFIGURE statement to install. match=,MSSQL match=ion match=Application match=pp match=ed match=Info match=Information match=user match=er match=Run the RECONFIGURE statement to install regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Reconfigure_To_Install sensor:$1 srcip:$2 NEXT id=28442 name=This MS SQL server has issued SQLISPackage messages. match=SQLISPackage match=,122 match=ion match=Application match=pp match=ed regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-SQLISPackage_Messages sensor:$1 srcip:$2 NEXT id=28443 name=This MSSQL$SQLEXPRESS is starting up the database. match=,MSSQL match=ion match=Application match=pp match=Info match=Information match=Start match=ing match=up match=,Starting up database regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-EXPRESS_Start_Database sensor:$1 srcip:$2 NEXT id=28444 name=This MS SQL server has reported an operating system error. match=,MSSQL match=ion match=Application match=pp match=ed match=Error match=rr match=Operating system error match=ing regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:MSSQLSVR-Operating_System_Error sensor:$1 srcip:$2 NEXT id=28445 name=This MS SQL server has reported a catalog in the database is low on disk space. Pausing all populations in progress until more space becomes available. match=,MSSQL match=ion match=Application match=pp match=ed match=Error match=rr match=database match=is low on disk space. match=ing regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:MSSQLSVR-Low_Disk_Space sensor:$1 srcip:$2 NEXT id=28446 name=This MS SQL server has stopped listening due to a failure. The server will automatically attempt to re-establish listening. match=,MSSQL match=ion match=Application match=pp match=sta match=lo match=ed match=nn match=failure match=Server match=connection provider has stopped listening match=due to a failure regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Server log=type:error event:MSSQLSVR-Stopped_Listening sensor:$1 srcip:$2 NEXT id=28447 name=This MS SQL server has issued MSSQL$COMMVAULT messages. match=,MSSQL match=ion match=Application match=pp match=Info match=Information match=for match=MSSQL$COMMVAULT regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQCOMVAULT-Messages sensor:$1 srcip:$2 NEXT id=28448 name=This MS SQL server has issued MSSQL$SECRETSERVER messages. match=,MSSQL match=ion match=Application match=pp match=Info match=Information match=for match=MSSQL$SECRETSERVER regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSECRETSERVER-Messages sensor:$1 srcip:$2 NEXT id=28449 name=This MS SQL server had a backup with truncate only or with no log is deprecated. match=,MSSQL match=ion match=Application match=pp match=Information match=Info match=is match=ed match=deprecated match=LOG is deprecated regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),8309,BACKUP log=type:application event:MSSQLSVR-Backup_Deprecated sensor:$1 srcip:$2 NEXT id=28470 name=This MS SQL server had a valid login. match=!CLIENT match=ion match=Application match=pp match=,MSSQL match=ser match=Lo match=ce match=ed match=Login succeeded for user ' regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Login succeeded for user .*?([a-zA-Z0-9._-]+)' log=type:login event:MSSQLSVR-Successful_Login sensor:$1 dstip:$2 user:$3 NEXT id=28471 name=This MS SQL server had a valid login. match=ion match=Application match=pp match=,MSSQL match=ser match=Lo match=ce match=ed match=Login succeeded for user ' regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Login succeeded for user .*?([a-zA-Z0-9._-]+)'.* \[CLIENT: \<([A-Za-z\>]+) log=type:login event:MSSQLSVR-Successful_Login sensor:$1 dstip:$2 srcip:$4 user:$3 NEXT id=28472 name=This MS SQL server has set a database option. match=ion match=Application match=pp match=Info match=Information match=,MSSQL match=ing match=tt match=Setting match=database match=option match=Setting database option regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*Setting database option log=type:application event:MSSQLSVR-Setting_Database_Option sensor:$1 dstip:$2 NEXT id=28473 name=This MS SQL server has had a self-generated certificate successfully loaded for encryption. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=ed match=cc match=ss match=certificate was successfully loaded for encryption regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Certificate_Loaded sensor:$1 dstip:$2 NEXT id=28474 name=This MS SQL server has reported FILESTREAM messages. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=ed match=cc match=ss match=file system access share name regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Filestream_Messages sensor:$1 dstip:$2 NEXT id=28475 name=This MS SQL server has reported the SQL Server is now ready for client connections. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=nn match=er match=ready match=Server is now ready for client connections regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Ready_For_Connections sensor:$1 dstip:$2 NEXT id=28476 name=This MS SQL server has reported the SQL Server Network Interface library successfully registered the Service. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=cc match=ss match=lly match=ed match=the match=successfully registered the Service regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Successfully_Registered_Service sensor:$1 dstip:$2 NEXT id=28477 name=This MS SQL server has reported the Database Mirroring protocol transport is disabled or not configured. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=proto match=disabled match=ed match=is match= protocol transport is disabled regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Protocol_Transport_Disabled sensor:$1 dstip:$2 NEXT id=28478 name=This MS SQL server has reported the service Broker manager has started. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=manager match=ed match=started match=Service Broker manager has started regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Broker_Manager_Started sensor:$1 dstip:$2 NEXT id=28479 name=This MS SQL server has reported the server local connection provider is ready to accept connections. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=nn match=cc match=local match=Server local connection provider is ready to accept connection regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Local_Ready_For_Connection sensor:$1 dstip:$2 NEXT id=28480 name=This MS SQL server has reported the temp database is cleared. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=ing match=temp match=database match=Clearing tempdb database regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Clearing_Temp_Database sensor:$1 dstip:$2 NEXT id=28481 name=This MS SQL server has reported a trace has started. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=SQL Trace ID match=ed match=started regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Trace_Started sensor:$1 dstip:$2 NEXT id=28482 name=This MS SQL server has resumed execution after being idle.. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=er match=ed match=idle match=after match=Server resumed execution after being idle regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), log=type:application event:MSSQLSVR-Resumed_Execution sensor:$1 dstip:$2 NEXT id=28483 name=This MS SQL server has had a failed login. match=MSSQL match=ion match=Info match=Information match=re match=ed match=Login failed for user match=VIM regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*\[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:login-failure event:MSSQLSVR-Failed_Login sensor:$1 dstip:$2 srcip:$3 NEXT id=28484 name=This MS SQL server has had the database differential changes backed up. match=MSSQL match=ion match=Application match=pp match=Info match=Information match=re match=ed match=Database differential changes were backed up match=up match=ff match=ial match=cha regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Changes_Backed_Up sensor:$1 srcip:$2 NEXT id=28485 name=This MS SQL server has detected a CREATE event. match=MSSQL match=ion match=Info match=Information match=ment match=statement: match=st match=ate match=nt match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)CREATE log=type:application event:MSSQLSVR-Create_Event sensor:$1 srcip:$2 NEXT id=28486 name=This MS SQL server has altered an event. match=MSSQL match=ion match=Info match=Information match=statement: match=nt match=st match=state match=ment match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)ALTER log=type:application event:MSSQLSVR-Alter_Event sensor:$1 srcip:$2 NEXT id=28487 name=This MS SQL server has enabled an audit event. match=MSSQL match=ion match=Info match=Information match=event enabled match=nt match=ed match=audit_event match=aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Enabled sensor:$1 srcip:$2 NEXT id=28488 name=This MS SQL server has added an audit event. match=MSSQL match=ion match=Info match=Information match=Audit event match=nt match=Aud match=ADD match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Added sensor:$1 srcip:$2 NEXT id=28489 name=This MS SQL server has had a network error possibly caused by login timeout. match=MSSQL match=ion match=Info match=Information match=Audit event match=nt match=Aud match=Failure Audit match=client or server login timeout regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:login-failure event:MSSQLSVR-Audit_Login_Timeout sensor:$1 srcip:$2 NEXT id=28490 name=This MS SQL server has granted an audit event. match=MSSQL match=ion match=Info match=Information match=Audit event match=statement: match=nt match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)GRANT log=type:application event:MSSQLSVR-Audit_Event_Granted sensor:$1 srcip:$2 NEXT id=28491 name=This MS SQL server has executed an audit event. match=MSSQL match=ion match=Info match=Information match=Audit event match=statement: match=nt match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)EXECUTE log=type:application event:MSSQLSVR-Audit_Event_Executed sensor:$1 srcip:$2 NEXT id=28492 name=This MS SQL server has dropped an audit event. match=MSSQL match=ion match=Info match=Information match=Audit event match=statement: match=nt match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)DROP log=type:application event:MSSQLSVR-Audit_Event_Dropped sensor:$1 srcip:$2 NEXT id=28493 name=This MS SQL server has an exec audit event. match=!EXECUTE match=!execute match=MSSQL match=ion match=Info match=Information match=Audit event match=statement: match=nt match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)EXEC log=type:application event:MSSQLSVR-Audit_Event_Exec sensor:$1 srcip:$2 NEXT id=14337 name=This MS SQL server login failed. match=,MSSQL match=ion match=ser match=ail match=Lo match=le match=ed match=Login failed for user regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Login failed for user.*\[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:login-failure event:MSSQLSVR-Login_Failed sensor:$1 srcip:$3 dstip:$2 NEXT id=14338 name=This MS SQL server has disabled an audit event. match=MSSQL match=ion match=Info match=Information match=event disabled match=nt match=ed match=audit_event match=aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Disabled sensor:$1 srcip:$2 NEXT id=14339 name=This MS SQL server has destroyed an audit event. match=MSSQL match=ion match=Info match=Information match=destroyed match=nt match=ed match=aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Destroyed sensor:$1 srcip:$2 NEXT id=14340 name=This MS SQL server has restored a transaction log backup. match=MSSQL match=ion match=Info match=Information match=nt match=ed match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)RESTORE LOG log=type:application event:MSSQLSVR-Audit_Event_Restore_Log sensor:$1 srcip:$2 NEXT id=14341 name=This MS SQL server has detected the execution of a TRUNCATE TABLE statement. match=MSSQL match=ion match=Info match=Information match=nt match=ed match=Aud match=Success Audit regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*statement:(?i)TRUNCATE TABLE log=type:application event:MSSQLSVR-Audit_Event_Truncate_Table sensor:$1 srcip:$2 NEXT id=14342 name=This MS SQL has detected the server state changed to started. match=MSSQL match=ion match=Info match=Information match=nt match=ed match=Aud match=Success Audit match=action_id:SVSR match=class_type:SR regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Server_Started sensor:$1 srcip:$2 NEXT id=14343 name=This MS SQL has detected an alter event session. match=MSSQL match=ion match=Info match=Information match=nt match=ed match=Aud match=Success Audit match=action_id:AL match=class_type:SE regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*server_principal_name:([a-zA-Z0-9._-]+) log=type:application event:MSSQLSVR-Audit_Event_Alter_Event_Session sensor:$1 srcip:$2 user:$3 NEXT id=14344 name=This MS SQL has detected the creation of a table. match=MSSQL match=ion match=Info match=Information match=nt match=ed match=Aud match=Success Audit match=action_id:CR match=class_type:U regex=([a-zA-Z0-9-\.]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Audit_Event_Create_Table sensor:$1 srcip:$2