When consolidating events into a central database, then you will need to make sure that nobody can gain unauthorized access to your database. If somebody can get administrative access to your SQL database, then the intruder has the ability to compromise your data integrity by deleting or modify data.
|
Make sure you use a strong password for the database administrator (e.g. sa or root) and only give this password to authorized users.
All of the security steps listed below will have no effect if the administrator's login is compromised. |
EventSentry Agents
The EventSentry agents are designed to only use the eventsentry_svc login to access the database, primarily to add data to the database. This login is created when you install EventSentry with the setup or when you initialize the database through the action dialog in the management console.
The eventsentry_svc user is only allowed minimum access to the objects (tables, columns) in the EventSentry database, for example this user cannot retrieve stored event log records from the database. As such, even if the password were to be compromised, the intruder would still not be able to retrieve useful information from the EventSentry database.
|
Never use an administrative login (e.g. sa or root) when configuring the database action in EventSentry. |
The password for the eventsentry_svc user is stored in the registry, but only members of the local Administrators group have permission to access the EventSentry configuration in the registry.
|
When utilizing the collector service, check the "Enhanced Security" check box on the database action dialog which prevents the DB login credentials from being transmitted to the remote agents. |
EventSentry Web Reports
The EventSentry Web Reports use the eventsentry_web user to access the database, which has a different set of permissions in the EventSentry database than the eventsentry_svc user. The eventsentry_web login is created when you install EventSentry with the setup or when you initialize a new database through the action dialog in the management console.
The eventsentry_web user is only allowed minimum access to the objects (tables, columns) in the EventSentry database, for example this user cannot add or delete event log records from the database. As such, even if the password were to be compromised, the intruder would still not be able to modify or delete records from the EventSentry database, though it could be used to retrieve data.
The password of the eventsentry_web user is stored in the configuration file of the web reports, the WebReports\conf\configuration.xml file which by default is located in the installation folder of EventSentry (e.g. C:\Program Files\EventSentry).
|
In order to keep the password of the eventsentry_web user secure, make sure that only authorized users have direct access to the WebReports\conf\configuration.xml file on the web server. |
Encryption
If the EventSentry agents are transmitting event log data over an insecure medium, then it is recommended to either utilize the collector service or encrypt SQL communication between the client (any EventSentry agent) and the database server. See Network Traffic Encryption for more information.
