Unable to see any database events in Sentinel. When viewing a connector raw data tap only the following events are occurring.
{"i_TrustDeviceTime":"1","QueryID":"47","s_db_hostname":"[EventSourceName]","s_RV24":"FC006D40-15E3-1034-8418-9B743D08F984","s_RV25":"16CBA2B9-1AAE-1034-A08F-005056AD40AB","s_RV22":"AC64A669-14A9-1034-A938-005056AD65FB","Row_Left":"-1","s_RV23":"99976340-154B-1034-85BF-BBDF9E7F38DA","o":"1","s_db_port":"[dpPortNumber]","s_RV21":"F9EE12E3-DECB-1033-8596-005056AD65FB","CONNECTION_MODE":"map","s_db_dbtype":"Microsoft SQL Server","CONNECTION_METHOD":"DATABASE","s_db_database":"[databaseName]"}
The event in the raw data tap indicates that Sentinel is not finding any events in the database table. There can be several reasons why this is happening:
1. The collector\connector\event source are not configured as 1 to 1 to 1.
In the Sentinel Event source Management Console confirm that there is a dedicated Database collector\Database connector for each individual Database event source. If there are multiple event sources under one collector\connector pairing the offset will not work correctly due to having to keep track of multiple database tables.
2. A workaround for a db connector issue needs to be configured.
- In the Sentinel control center ESM console right click the database event source, select Edit and then select the Start Behavior and Offset tab
- Currently the settings are likely to be where the Start Behavior is set to Resume from saved offset and under Edit Saved Offset button the radio button is set to Resume from start of data. The Specify offset button is not selected and the Offset String box is empty.
- Change the setting to Always start from beginning of data, click OK and restart the collector, connector, and event source.
- If the database table contains events you should start seeing actual events in the raw data tap as well as in the Sentinel search view.
- Now change the offset setting back to Resume from saved offset everything should continue to work after restarting the collector, connector, and event source. The offset should be incrementing. There will likely be older data in the search view until Sentinel completes the collection on the table and are back to the current time.
- At this point the offset should be incrementing and keeping track of where we left off in the database table.
3. The event source version is not yet supported.
If you are using a event source version that is not yet supported\certified there is a possibility that it will still work. However if the database table name or any of the database table column names have changed then we could encounter this situation. Contact technical support to open a defect or enhancement request.
4. there is no data in the particular database table that we are querying.
Have your database admin confirm that the database auditing is properly configured so that the table is populated with events.
The error indicates that Sentinel is not finding any events in the database table. There can be several reasons for this type of error:
1. The collector\connector\event source are not configured as 1 to 1 to 1.
2. A workaround for a db connector issue needs to be configured.
3. The event source version is not yet supported.
4. there is no data in the particular database table that we are querying.