Configure SEM to monitor Microsoft SQL databases for changes to tables and schemas

You can track successful or failed attempts to access your database tables and schemas by installing MSSQL Auditor for Windows on a SEM Agent running SQL Server 2008 or later with Profiler. This configuration allows you to monitor your local or remote SQL Server databases.

MSSQL Auditor runs as a service in conjunction with the SEM Agent service.

Configure your database servers

Download MSSQL Auditor for Windows from the Customer Portal and install the software on your server. When configured and enabled, the software provides your SolarWinds SEM Agent access to details about any database configuration changes to your database server.

To enable the SolarWinds SEM Agent access to details about your database configuration changes, install the following software on your database server:

  • Microsoft SQL Server 2008 or later
  • Microsoft .NET 3.5 and 4.0 Framework
  • SolarWinds SEM Agent for Windows

When completed, install the MSSQL Auditor for Windows on your server.

Install MSSQL Auditor on a SEM Agent

  1. Download the MSSQL Auditor for Windows from the SolarWinds Customer Portal.

  2. To begin the installation, double-click the EXE file.

  3. To start the wizard, click Next.

  4. Accept the End User License Agreement if you agree, and then click Next.

  5. Click Change to specify an installation folder, or accept the default, and then click Next.

  6. Click Install.

  7. When the installation is finished, select Launch SolarWinds MSSQL Auditor, and then click Finish.

Configure MSSQL Auditor on your servers

If you did not select Launch SolarWinds MSSQL Auditor after installing the application, you can launch the application from the SolarWinds Security Event Manager program group in your Start menu.

  1. Enter the name of the SQL server to monitor in the SQL Server\Instance field, and click Add Server.

    To specify an instance other than the default, enter your server name in the following format:

    Server\Instance

  2. Repeat step 1 for any additional servers you need to monitor.
  3. To use an account other than the Local System Account to run MSSQL Auditor on your database server, select This Account in the Run Service As and provide the appropriate credentials.

    SolarWinds recommends using an account in the sysadmin role on your database. The account only requires Execute permissions for any stored procedures with the xp_trace prefix.

  4. In the Manage Auditor Service section, click Start Auditor Service, and then click OK.

Configure the MSSQL Auditor Connector on a SEM Agent

  1. In the SEM Events Console, click the Nodes tab.
  2. Under Refine Results, expand the Type group, and then select the Agent check box.
  3. Select an agent, and then click Manage node connectors.
  4. In the search box, type MSSQL.
  5. Select the SolarWinds Security Event Manager MSSQL Auditor connector, and then click Add Connector.
  6. In the Name field, enter a new name, or keep the existing name.
  7. Click Add.
  8. Under Configured connectors, select your connector, and then click Start.
  9. Repeat the steps for the MSSQL 2000 Application Log connector.

Send notifications of Microsoft SQL database change attempts

Clone and enable the MSSQL Database Change Attempt rule to track user attempts to change properties on a monitored Microsoft SQL Server database. The default rule action generates a HostIncident event you can use in conjunction with the Incidents report to notify auditors that you are auditing the critical events in your network.

  1. Open the SEM console. See Log in to the SEM web console for steps.

    Log in as an administrator.

  2. On the SEM toolbar, navigate to Build > Rules.

  3. In the Refine Results search box, enter MSSQL Database Change Attempt.
  4. Next to the rule, click , and then select Clone.

  5. Select the folder where the cloned rule will be stored, and then click OK.

  6. Select the Enable check box, and then click Save.

  7. In the main Rules screen, click Activate Rules.