Re: Monitor ExtendedEvents and SQLAudits in SQL Server

Just to add some additional information to this question above about the STIGs from the original author... ultimately, if the tool could remove the audit requirement from SQL Server, this would serve us best:

V-79145 STIG ID SQL6-D0-005500 CAT II states:

"Design and deploy an Audit that captures all auditable events and data items.  In the event a third-party tool is used for auditing, it must contain all the required information including but not limited to events, type, location, subject, date, and time and by whom the change occurred."

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Knowledgebase_Articles/Configure_MSSQL_Auditor_on_a _LEM_Agent

======================================================

V-79223 STIGID: SQL6-D0-010700 CAT II states:

"SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server"

V-79225 STIGID: SQL6-D0-01800 CAT II states:

"SQL Server must provide centralized configuration of the content to be captured in audit records generated by all components of SQL Server."

V-79311 STIGID: SQL6-D0-015900 states:

"The system SQL Server must off-load audit data to a separate log management facility;  this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand alone systems."

REGARDING THE "must contain" clause above:

If we can meet these requirements with SolarWinds LEM, it will allow us to close these open vulnerabilities.  The trace file partially meets the requirement.   It would also be beneficial if there could be a listing of the actual trace items captured:

Examples: TraceID 14,15,18,20,102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 115, 116, 117, 118, 128, 129, 130, 131, 132, 133, 134, 135, 152, 153, 170, 171, 172, 173, 175,176,177, 178

The above represents the items required in the pre-SQL 2016 STIGs if the SQL methods still entails using traces and had not yet switched over to SQL Audits and Extended Events.   It would be helpful to know exactly what was covered in the default trace given by SolarWinds as it would allow us to re-orient what is collected and how and where to meet this as well as the requirements for specific Audits.  (Roughly 33 of them exist along with the default two from SQL 2016 - system health and telemetry events.)

EXAMPLES: SCHEMA_OBJECT_ACCESS_GROUP, SCHEMA_OBJECT_CHANGE_GROUP, SERVER_PRINCIPAL_IMPERSONATION_GROUP, SERVER_OPERATION_GROUP, AUDIT_CHANGE_GROUP (to name a few)

(newbie question) Is there a way to edit the original question without adding a second comment?