Help setting up SEP collector for SSIM
Updated: 19 Jan 2011 | 7 comments
This issue has been solved. See solution.
Trying to setup the SEP collector in SSIM. Seems very basic to me per the documentation and I believe I have all the fields setup correctly.
After I distribute, I continue to get the message under Events along the lines of "Cannot create connection to the database, Reason: Login failed for the user 'xxxx'"
I know for a fact this username/password works as I can connect to the DB with using query analyzer, however, when I log in to the box and look under Security >> Logins, I do not see the username in there that was setup for SSIM (read-only). Does ths matter?
I'm just curious as to what else I could be missing? Any help would be appreciated.
Discussion Filed Under:
Comments
Are you sure in the Sensor
Are you sure in the Sensor properties for this collector you entered the right usename and password ?
Second option, what version of the jdbc drivers you using and do you know what port the instance of SQL is listening ? Could you add the port in the url ?
jdbc:sqlserver://SQL_SERVER:1433;DatabaseName=SEM5
Yes, username and password
Yes, username and password are correct.
Now sure how to check the version of jdbc drivers but SQL is listening on 1433 and I have added that port.
Endpoint Knowledge Base
Security Best Practices
SEP uses it's own user to access database
When SEP is set up it creates a user named sem5, and only this user by default has permissions to access SEP database. Even sa account has no read rights over this database by default (I beleive you set it up with MS SQL Server).
You need to either configure a collector to use sem5 account or create a read-only user and grant it read permissions over SEP database (sem5).
Below I pasted actions needed from SEP Collector PDF:
To create a read-only database user for Microsoft SQL Server
1 From the Windows Start menu, choose Run, and then type the following
command:
cmd
2 Navigate to the directory that contains the OSQL.EXE file.
For Microsoft SQL Server 2008, the default directory location for this file is
C:\Program Files\Microsoft SQL Server\100\Tools\Binn
For Microsoft SQL Server 2005, the default directory location for this file is
C:\Program Files\Microsoft SQL Server\90\Tools\Binn.
For Microsoft SQL Server 2000, the default directory location for this file is
C:\Program Files\Microsoft SQL Server\80\Tools\Binn.
3 Log in as the system administrator user. Type the following command, and
then at the Password prompt, type the system administrator password:
osql -U sa
4 At the command prompt, type the following commands:
For Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine
(MSDE):
EXEC sp_addlogin 'account_name', 'password', database_name'
USE database_name
EXEC sp_grantdbaccess 'account_name'
EXEC sp_addrolemember 'db_datareader', 'account_name'
GRANT SELECT ON SEM_COMPUTER to 'account_name';
GRANT SELECT ON V_AGENT_BEHAVIOR_LOG to 'account_name';
GRANT SELECT ON IDENTITY_MAP to 'account_name';
GRANT SELECT ON V_AGENT_PACKET_LOG to 'account_name';
GRANT SELECT ON V_AGENT_SECURITY_LOG to 'account_name';
GRANT SELECT ON V_AGENT_TRAFFIC_LOG to 'account_name';
GRANT SELECT ON V_AGENT_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_CLIENT_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_TRAFFIC_LOG to 'account_name';
GRANT SELECT ON V_SERVER_ADMIN_LOG to 'account_name';
GRANT SELECT ON V_SERVER_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_SERVER_CLIENT_LOG to 'account_name';
GRANT SELECT ON V_SERVER_ENFORCER_LOG to 'account_name';
GRANT SELECT ON V_SERVER_POLICY_LOG to 'account_name';
GRANT SELECT ON V_LAN_DEVICE_DETECTED to 'account_name';
GRANT SELECT ON V_ALERTS to 'account_name';
GRANT SELECT ON VIRUS to 'account_name';
GRANT SELECT ON V_SEM_COMPUTER to 'account_name';
GRANT SELECT ON SEM_AGENT to 'account_name';
GRANT SELECT ON PATTERN to 'account_name';
go
For Microsoft SQL Server 2005 and Microsoft SQL Server 2008:
EXEC sp_addlogin 'account_name', 'password', 'database_name'
USE database_name
CREATE USER 'account_name' FOR LOGIN 'account_name'
EXEC sp_addrolemember 'db_datareader', 'account_name'
GRANT SELECT ON SEM_COMPUTER to 'account_name';
GRANT SELECT ON V_AGENT_BEHAVIOR_LOG to 'account_name';
GRANT SELECT ON IDENTITY_MAP to 'account_name';
GRANT SELECT ON V_AGENT_PACKET_LOG to 'account_name';
GRANT SELECT ON V_AGENT_SECURITY_LOG to 'account_name';
GRANT SELECT ON V_AGENT_TRAFFIC_LOG to 'account_name';
GRANT SELECT ON V_AGENT_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_CLIENT_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_ENFORCER_TRAFFIC_LOG to 'account_name';
GRANT SELECT ON V_SERVER_ADMIN_LOG to 'account_name';
GRANT SELECT ON V_SERVER_SYSTEM_LOG to 'account_name';
GRANT SELECT ON V_SERVER_CLIENT_LOG to 'account_name';
GRANT SELECT ON V_SERVER_ENFORCER_LOG to 'account_name';
GRANT SELECT ON V_SERVER_POLICY_LOG to 'account_name';
GRANT SELECT ON V_LAN_DEVICE_DETECTED to 'account_name';
GRANT SELECT ON V_ALERTS to 'account_name';
GRANT SELECT ON VIRUS to 'account_name';
GRANT SELECT ON V_SEM_COMPUTER to 'account_name';
GRANT SELECT ON SEM_AGENT to 'account_name';
GRANT SELECT ON PATTERN to 'account_name';
go
quit
Thanks,
Alexey.
I had our DBA create a
I had our DBA create a read-only account to the DB. The DB name is actually sep1 not sem5. I'm guessing the default was changed when SEP was setup almost 3 yrs ago (I wasn't here for that)
Endpoint Knowledge Base
Security Best Practices
Would you have the full log
Would you have the full log file of the collector?
I checked with our DBA and
I checked with our DBA and the issue looks to be on their side. I'm not a SQL guy so I won't try to even repeat what I was told
but I'll report back once the issue is fixed.
Endpoint Knowledge Base
Security Best Practices
Turns out the default SQL
Turns out the default SQL port was not being used. Once we changed to the correct port, logs started to come in. Very simple, yet very frustrating :) but all is good now.
Endpoint Knowledge Base
Security Best Practices
Would you like to reply?
Login or Register to post your comment.