我正在使用 SQL Server STIG 指令来创建审核文件:
USE [master]
GO
/****** Object: Audit [STIG_Audit_Permissions_Queries] Script Date: 2/2/2022 1:32:17 AM ******/
CREATE SERVER AUDIT [STIG_Audit_Permissions_Queries]
TO FILE
( FILEPATH = N'L:\Audits\'
,MAXSIZE = 200 MB
,MAX_ROLLOVER_FILES = 50
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = SHUTDOWN
,AUDIT_GUID = '3b3950fd-ade8-42c1-bd22-e36e071ee53d'
)
WHERE ([Schema_Name]='sys' AND [Object_Name]='all_objects' OR [Schema_Name]='sys' AND [Object_Name]='database_permissions' OR [Schema_Name]='sys' AND [Object_Name]='database_principals' OR [Schema_Name]='sys' AND [Object_Name]='database_role_members' OR [Schema_Name]='sys' AND [Object_Name]='dm_column_store_object_pool' OR [Schema_Name]='sys' AND [Object_Name]='dm_db_xtp_object_stats' OR [Schema_Name]='sys' AND [Object_Name]='dm_os_memory_objects' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_object_columns' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_objects' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_session_object_columns' OR [Schema_Name]='sys' AND [Object_Name]='filetable_system_defined_objects' OR [Schema_Name]='sys' AND [Object_Name]='linked_logins' OR [Schema_Name]='sys' AND [Object_Name]='login_token' OR [Schema_Name]='sys' AND [Object_Name]='objects' OR [Schema_Name]='sys' AND [Object_Name]='remote_logins' OR [Schema_Name]='sys' AND [Object_Name]='server_permissions' OR [Schema_Name]='sys' AND [Object_Name]='server_principal_credentials' OR [Schema_Name]='sys' AND [Object_Name]='server_principals' OR [Schema_Name]='sys' AND [Object_Name]='server_role_members' OR [Schema_Name]='sys' AND [Object_Name]='sql_logins' OR [Schema_Name]='sys' AND [Object_Name]='syscacheobjects' OR [Schema_Name]='sys' AND [Object_Name]='syslogins' OR [Schema_Name]='sys' AND [Object_Name]='sysobjects' OR [Schema_Name]='sys' AND [Object_Name]='sysoledbusers' OR [Schema_Name]='sys' AND [Object_Name]='syspermissions' OR [Schema_Name]='sys' AND [Object_Name]='sysremotelogins' OR [Schema_Name]='sys' AND [Object_Name]='system_objects' OR [Schema_Name]='sys' AND [Object_Name]='sysusers' OR [Schema_Name]='sys' AND [Object_Name]='user_token')
ALTER SERVER AUDIT [STIG_Audit_Permissions_Queries] WITH (STATE = ON)
GO
这很有效,并且正在创建审计文件,并且可以使用 SQL Server Management Studio 读取这些文件。我们的环境中有大量的 SQL Server。我们希望将日志捕获到 WAZUH 之类的工具中,以便可以在中心位置读取它们,并且如果条目可疑,可能会采取一些措施。我们已经在捕获诸如 error.log.# 文件之类的文件。
不幸的是,创建的文件是二进制文件。如何将审核配置为基于 ASCII 的文件?