How to monitor on-prem MS SQL transactions with Sentinel?

Question

Hi all,

My question is short, how can I forward MS SQL server (on-prem) transaction data to Azure Sentinel (or Log Monitor)? I've found only this: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 but it's for Audit, not for transactions.

Answer 1

Hi,

Are you talking about the SQL Server database transaction log itself, this may not be possible using Azure Sentinel.
The blog you provided introduces the use of Audit to record changes to the database and ingesting SQL Server Audit events into Azure Sentinel.

Because SQL Server transaction log positioning is not for user behavior monitoring and recording, but to ensure transaction consistency under the premise of minimal impact on performance, the content it records is for database services, not for users. So if you want to monitor user behavior, you still have to open SQL Server's own monitoring tools, such as SQL Trace or XEvents, Audit.

SQL Server provides a command DBCC LOG to read the log file, but the result is not intuitive. For more detailed information, you may need to use some third-party tools, such as ApexSQL Log.

If you want to make a backup of the database and transaction log files, you may need to consider HA/DR technologies, such as Always on availability groups, database mirroring, etc.

I am not familiar with Azure Sentinel, I talk this from the perspective of SQL Server.

Answer 2

I am unclear as to your question. The blog you posted has a section:
Step 3 - Sending logs from SQL Server to Azure Sentinel using Microsoft Monitoring Agent.

Is this not working for you? Are you having a problem?

If you are having a problem with Azure Sentinel, the Azure forum is likely a better place for your questions.