0

我正在使用 SQL Server STIG 指令来创建审核文件:

USE [master]
GO

/****** Object:  Audit [STIG_Audit_Permissions_Queries]    Script Date: 2/2/2022 1:32:17 AM ******/
CREATE SERVER AUDIT [STIG_Audit_Permissions_Queries]
TO FILE 
(   FILEPATH = N'L:\Audits\'
    ,MAXSIZE = 200 MB
    ,MAX_ROLLOVER_FILES = 50
    ,RESERVE_DISK_SPACE = OFF
)
WITH
(   QUEUE_DELAY = 1000
    ,ON_FAILURE = SHUTDOWN
    ,AUDIT_GUID = '3b3950fd-ade8-42c1-bd22-e36e071ee53d'
)
WHERE ([Schema_Name]='sys' AND [Object_Name]='all_objects' OR [Schema_Name]='sys' AND [Object_Name]='database_permissions' OR [Schema_Name]='sys' AND [Object_Name]='database_principals' OR [Schema_Name]='sys' AND [Object_Name]='database_role_members' OR [Schema_Name]='sys' AND [Object_Name]='dm_column_store_object_pool' OR [Schema_Name]='sys' AND [Object_Name]='dm_db_xtp_object_stats' OR [Schema_Name]='sys' AND [Object_Name]='dm_os_memory_objects' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_object_columns' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_objects' OR [Schema_Name]='sys' AND [Object_Name]='dm_xe_session_object_columns' OR [Schema_Name]='sys' AND [Object_Name]='filetable_system_defined_objects' OR [Schema_Name]='sys' AND [Object_Name]='linked_logins' OR [Schema_Name]='sys' AND [Object_Name]='login_token' OR [Schema_Name]='sys' AND [Object_Name]='objects' OR [Schema_Name]='sys' AND [Object_Name]='remote_logins' OR [Schema_Name]='sys' AND [Object_Name]='server_permissions' OR [Schema_Name]='sys' AND [Object_Name]='server_principal_credentials' OR [Schema_Name]='sys' AND [Object_Name]='server_principals' OR [Schema_Name]='sys' AND [Object_Name]='server_role_members' OR [Schema_Name]='sys' AND [Object_Name]='sql_logins' OR [Schema_Name]='sys' AND [Object_Name]='syscacheobjects' OR [Schema_Name]='sys' AND [Object_Name]='syslogins' OR [Schema_Name]='sys' AND [Object_Name]='sysobjects' OR [Schema_Name]='sys' AND [Object_Name]='sysoledbusers' OR [Schema_Name]='sys' AND [Object_Name]='syspermissions' OR [Schema_Name]='sys' AND [Object_Name]='sysremotelogins' OR [Schema_Name]='sys' AND [Object_Name]='system_objects' OR [Schema_Name]='sys' AND [Object_Name]='sysusers' OR [Schema_Name]='sys' AND [Object_Name]='user_token')
ALTER SERVER AUDIT [STIG_Audit_Permissions_Queries] WITH (STATE = ON)
GO

这很有效,并且正在创建审计文件,并且可以使用 SQL Server Management Studio 读取这些文件。我们的环境中有大量的 SQL Server。我们希望将日志捕获到 WAZUH 之类的工具中,以便可以在中心位置读取它们,并且如果条目可疑,可能会采取一些措施。我们已经在捕获诸如 error.log.# 文件之类的文件。

不幸的是,创建的文件是二进制文件。如何将审核配置为基于 ASCII 的文件?

4

0 回答 0