# Copyright 2005 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # MS-SQL Application Event log parser # # DESCRIPTION: # Processes event logs from MS-SQL servers # # LAST UPDATED: $Date: 2012/05/07 12:26:38 $ # NOTE - ID 3008 and below is part of the win2k_os_app.prm library id=3009 name=This MS SQL server encountered a pause request. match=ion match=Application match=pp match=,MSSQL match=lo match=ing match=,17144 : SQL Server is disallowing new connections due match=ect match=onnect match=onnection regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),17144 log=event:MSSQLSVR-Pause_Request type:restart srcip:$1 NEXT id=3010 name=This MS SQL server had a valid login. match=ion match=Application match=pp match=,MSSQL match=,18453 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),18453 log=event:MSSQLSVR-Login_Succeeded type:login srcip:$1 NEXT id=3011 name=This MS SQL server had a login failure. match=ion match=Application match=pp match=,MSSQL match=,18456 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),18456 log=event:MSSQLSVR-Login_Failed type:login-failure srcip:$1 NEXT id=3013 name=This MS SQL server received a stop request. match=ion match=Application match=pp match=,MSSQL match=,17148 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),17148 log=event:MSSQLSVR-Stop_Request type:restart srcip:$1 NEXT id=3015 name=This MS SQL server had a login access revoked. match=ion match=Application match=pp match=,MSSQL match=,15485 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15485 log=event:MSSQLSVR-Login_Access_revoked type:login-failure srcip:$1 NEXT id=3016 name=This MS SQL server could not revoke login access. match=ion match=Application match=pp match=,MSSQL regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15484 log=event:MSSQLSVR-Could_Not_Revoke_Login_Access type:error srcip:$1 NEXT id=3017 name=This MS SQL server had a failed login. match=ion match=Application match=pp match=,MSSQL match=,15483 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),15483 log=event:MSSQLSVR-Login_Denied type:login-failure srcip:$1 NEXT id=3018 name=This MS SQL server had a shutdown. match=ion match=Application match=pp match=,MSSQL match=,6005 regex=,IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),6005 log=event:MSSQLSVR-Shutdown type:restart srcip:$1 # NOTE - ID 3019 and above is part of the win2k_os_app.prm library NEXT id=28425 name=This MS SQL server had a valid login. match=ion match=Application match=pp match=,MSSQL match=ser match=Lo match=ce match=ed match=,Login succeeded for user ' regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Login succeeded for user .*\\([a-zA-Z0-9._-]+)'.* \[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:login event:MSSQLSVR-Successful_Login sensor:$1 srcip:$4 dstip:$2 user:$3 NEXT id=28426 name=This MS SQL server had a trace started. match=,MSSQL match=ion match=Application match=pp match=ce match=ace match=,SQL Trace ID match=sta match=lo match=log match=ar match=ed match= was started by login " regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),SQL Trace ID 5 was started by login .*\\([a-zA-Z0-9._-]+)" log=type:application event:MSSQLSVR-Trace_Toggled sensor:$1 srcip:$2 user:$3 NEXT id=28427 name=This MS SQL server had a complete backup. match=,MSSQL match=ion match=Application match=pp match=ack match=Lo match=ed match=,Log was backed up. Database: regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Log_Backed_Up sensor:$1 srcip:$2 NEXT id=28428 name=This MS SQL server had its database checked. match=,MSSQL match=ion match=Application match=pp match=,DBCC CHECKDB (SQLcmArchive regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-CHECKDB sensor:$1 srcip:$2 NEXT id=28429 name=This MS SQL server had its database checked. match=,MSSQL match=ion match=Application match=pp match=AT match=,DBCC CHECKCATALOG (SQLcmArchive match=LO match=AL regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* executed by .*\\([a-zA-Z0-9._-]+) log=type:application event:MSSQLSVR-CHECKCATALOG sensor:$1 srcip:$2 user:$3 NEXT id=28430 name=This MS SQL server had its database restored. match=,MSSQL match=ion match=Application match=pp match=est match=ed match=,18267 : Database restored: Database: regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Database_Restored sensor:$1 srcip:$2 NEXT id=28431 name=This MS SQL server had an error. match=,MSSQL match=ion match=Application match=pp match=rr match=,Error: match=ty match= Severity: regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:error event:MSSQLSVR-Error sensor:$1 srcip:$2 NEXT id=28432 name=This MS SQL server completed its analysis. match=,MSSQL match=ion match=Application match=pp match=,3455 : Analysis of database ' match=ate match=le match=) is 100% complete (approximately 0 more seconds) regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:application event:MSSQLSVR-Database_Analysis_Completed sensor:$1 srcip:$2 NEXT id=28433 name=This MS SQL server login failed. match=,MSSQL match=ion match=Application match=pp match=ser match=ail match=Lo match=le match=ed match=,Login failed for user ' regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Login failed for user .*\\([a-zA-Z0-9._-]+)'.* \[CLIENT: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:login-failure event:MSSQLSVR-Login_Failed sensor:$1 srcip:$4 dstip:$2 user:$3 NEXT id=28434 name=This MS SQL server login succeeded. match=,MSSQL match=ion match=Application match=pp match=CL match=lo match=EN match=[CLIENT: ] match=cal match=ser match=Lo match=ce match=ed match=,Login succeeded for user ' regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),Login succeeded for user .*\\([a-zA-Z0-9._-]+)'.* \[CLIENT: (\<([a-zA-Z0-9]+) ([a-zA-Z0-9]+)\>)\] log=type:login event:MSSQLSVR-Login_Succeeded_For_Local_Machine sensor:$1 user:$3 srcip:$2 NEXT id=28435 name=This MS SQL server is showing that I/O is frozen on the database, although no user action is required, if I/O is not resumed promptly, you could cancel the backup. match=,MSSQL match=ion match=Application match=pp match=I/O is frozen on database match=ire match=ser match=ed match= No user action is required. regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+),I\/O is frozen on database log=type:error event:MSSQLSVR-Database_Frozen sensor:$1 srcip:$2 srcport:$3 NEXT id=28436 name=This MS SQL server is showing that I/O has resumed on the database, no user action is required. match=,MSSQL match=ion match=Application match=pp match=ed match=I/O was resumed on database match=ire match=ser match= No user action is required. regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+),I\/O was resumed on database log=type:application event:MSSQLSVR-Database_Unfrozen sensor:$1 srcip:$2 srcport:$3 NEXT id=28437 name=This MS SQL server is showing that database backed up and no user action is required. match=,MSSQL match=ion match=Application match=pp match=ack match=ed match=Database backed up. match=ire match=ser match= No user action is required. regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+),Database backed up. log=type:application event:MSSQLSVR-Database_Backedup sensor:$1 srcip:$2 srcport:$3 NEXT id=28438 name=This MS SQL server is showing that a login packet used to open the connection is structurally invalid. match=,MSSQL match=ion match=Application match=pp match=The login packet match=connection is structurally invalid regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=type:error event:MSSQLSVR-Login_Invalid sensor:$1 srcip:$2 srcport:$3 NEXT id=28439 name=This MS SQL server is showing that the length specified in network packet payload did not match number of bytes read; the connection has been closed. match=,MSSQL match=ion match=Application match=pp match=payload did not match number of bytes read regex=([a-zA-Z0-9-]+),IP\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),([0-9]+) log=type:error event:MSSQLSVR-Payload_Not_Matched sensor:$1 srcip:$2 srcport:$3