Download SQL Server Audit (Database Engine) | Microsoft Docs

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

Extensible Storage Engine wikipedia , lookup

Oracle Database wikipedia , lookup

Microsoft Access wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

Team Foundation Server wikipedia , lookup

SQL wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Btrieve wikipedia , lookup

Relational model wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Database model wikipedia , lookup

PL/SQL wikipedia , lookup

Clusterpoint wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
Table of Contents
Overview
Action Groups and Actions
Audit Records
Create a Server Audit and Server Audit Specification
Create a Server Audit and Database Audit Specification
View a SQL Server Audit Log
Write SQL Server Audit Events to the Security Log
SQL Server Audit (Database Engine)
4/29/2017 • 12 min to read • Edit Online
THIS TOPIC APPLIES TO: SQL Server (starting with 2008) Azure SQL Database Azure SQL Data
Warehouse
Parallel Data Warehouse
Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging
events that occur on the Database Engine. SQL Server audit lets you create server audits, which can contain server
audit specifications for server level events, and database audit specifications for database level events. Audited
events can be written to the event logs or to audit files.
There are several levels of auditing for SQL Server, depending on government or standards requirements for your
installation. SQL Server Audit provides the tools and processes you must have to enable, store, and view audits on
various server and database objects.
You can record server audit action groups per-instance, and either database audit action groups or database audit
actions per database. The audit event will occur every time that the auditable action is encountered.
All editions of SQL Server support server level audits. All editions support database level audits beginning with
SQL Server 2016 SP1. Prior to that, database level auditing was limited to Enterprise, Developer, and Evaluation
editions. For more information, see Features Supported by the Editions of SQL Server 2016.
NOTE
This topic applies to SQL Server. For SQL Database, see Get started with SQL database auditing.
SQL Server Audit Components
An audit is the combination of several elements into a single package for a specific group of server actions or
database actions. The components of SQL Server audit combine to produce an output that is called an audit, just as
a report definition combined with graphics and data elements produces a report.
SQL Server audit uses Extended Events to help create an audit. For more information about Extended Events, see
Extended Events.
SQL Server Audit
The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to
monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server instance.
When you define an audit, you specify the location for the output of the results. This is the audit destination. The
audit is created in a disabled state, and does not automatically audit any actions. After the audit is enabled, the
audit destination receives data from the audit.
Server Audit Specification
The Server Audit Specification object belongs to an audit. You can create one server audit specification per audit,
because both are created at the SQL Server instance scope.
The server audit specification collects many server-level action groups raised by the Extended Events feature. You
can include audit action groups in a server audit specification. Audit action groups are predefined groups of
actions, which are atomic events occurring in the Database Engine. These actions are sent to the audit, which
records them in the target.
Server-level audit action groups are described in the topic SQL Server Audit Action Groups and Actions.
Database Audit Specification
The Database Audit Specification object also belongs to a SQL Server audit. You can create one database audit
specification per SQL Server database per audit.
The database audit specification collects database-level audit actions raised by the Extended Events feature. You
can add either audit action groups or audit events to a database audit specification. Audit events are the atomic
actions that can be audited by the SQL Server engine. Audit action groups are predefined groups of actions. Both
are at the SQL Server database scope. These actions are sent to the audit, which records them in the target. Do not
include server-scoped objects, such as the system views, in a user database audit specification.
Database-level audit action groups and audit actions are described in the topic SQL Server Audit Action Groups
and Actions.
Target
The results of an audit are sent to a target, which can be a file, the Windows Security event log, or the Windows
Application event log. Logs must be reviewed and archived periodically to make sure that the target has sufficient
space to write additional records.
IMPORTANT
Any authenticated user can read and write to the Windows Application event log. The Application event log requires lower
permissions than the Windows Security event log and is less secure than the Windows Security event log.
Writing to the Windows Security log requires the SQL Server service account to be added to the Generate
security audits policy. By default, the Local System, Local Service, and Network Service are part of this policy. This
setting can be configured by using the security policy snap-in (secpol.msc). Additionally, the Audit object access
security policy must be enabled for both Success and Failure. This setting can be configured by using the security
policy snap-in (secpol.msc). In Windows Vista or Windows Server 2008, you can set the more granular
application generated policy from the command line by using the audit policy program (AuditPol.exe). For
more information about the steps to enable writing to the Windows Security log, see Write SQL Server Audit
Events to the Security Log. For more information about the Auditpol.exe program, see Knowledge Base article
921469, How to use Group Policy to configure detailed security auditing. The Windows event logs are global to the
Windows operating system. For more information about the Windows event logs, see Event Viewer Overview. If
you need more precise permissions on the audit, use the binary file target.
When you are saving audit information to a file, to help prevent tampering, you can restrict access to the file
location in the following ways:
The SQL Server Service Account must have both Read and Write permission.
Audit Administrators typically require Read and Write permission. This assumes that the Audit
Administrators are Windows accounts for administration of audit files, such as: copying them to different
shares, backing them up, and so on.
Audit Readers that are authorized to read audit files must have Read permission.
Even when the Database Engine is writing to a file, other Windows users can read the audit file if they have
permission. The Database Engine does not take an exclusive lock that prevents read operations.
Because the Database Engine can access the file, SQL Server logins that have CONTROL SERVER permission
can use the Database Engine to access the audit files. To record any user that is reading the audit file, define
an audit on master.sys.fn_get_audit_file. This records the logins with CONTROL SERVER permission that
have accessed the audit file through SQL Server.
If an Audit Administrator copies the file to a different location (for archive purposes, and so on), the ACLs on
the new location should be reduced to the following permissions:
Audit Administrator – Read / Write
Audit Reader – Read
We recommend that you generate audit reports from a separate instance of SQL Server, such as an instance
of SQL Server Express, to which only Audit Administrators or Audit Readers have access. By using a
separate instance of the Database Engine for reporting, you can help prevent unauthorized users from
obtaining access to the audit record.
You can offer additional protection against unauthorized access by encrypting the folder in which the audit
file is stored by using Windows BitLocker Drive Encryption or Windows Encrypting File System.
For more information about the audit records that are written to the target, see SQL Server Audit Records.
Overview of Using SQL Server Audit
You can use SQL Server Management Studio or Transact-SQL to define an audit. After the audit is created and
enabled, the target will receive entries.
You can read the Windows event logs by using the Event Viewer utility in Windows. For file targets, you can use
either the Log File Viewer in SQL Server Management Studio or the fn_get_audit_file function to read the target
file.
The general process for creating and using an audit is as follows.
1. Create an audit and define the target.
2. Create either a server audit specification or database audit specification that maps to the audit. Enable the
audit specification.
3. Enable the audit.
4. Read the audit events by using the Windows Event Viewer, Log File Viewer, or the fn_get_audit_file
function.
For more information, see Create a Server Audit and Server Audit Specification and Create a Server Audit
and Database Audit Specification.
Considerations
In the case of a failure during audit initiation, the server will not start. In this case, the server can be started by
using the –f option at the command line.
When an audit failure causes the server to shut down or not to start because ON_FAILURE=SHUTDOWN is
specified for the audit, the MSG_AUDIT_FORCED_SHUTDOWN event will be written to the log. Because the
shutdown will occur on the first encounter of this setting, the event will be written one time. This event is written
after the failure message for the audit causing the shutdown. An administrator can bypass audit-induced
shutdowns by starting SQL Server in Single User mode using the –m flag. If you start in Single User mode, you will
downgrade any audit where ON_FAILURE=SHUTDOWN is specified to run in that session as
ON_FAILURE=CONTINUE. When SQL Server is started by using the –m flag, the
MSG_AUDIT_SHUTDOWN_BYPASSED message will be written to the error log.
For more information about service startup options, see Database Engine Service Startup Options.
Attaching a Database with an Audit Defined
Attaching a database that has an audit specification and specifies a GUID that does not exist on the server will
cause an orphaned audit specification. Because an audit with a matching GUID does not exist on the server
instance, no audit events will be recorded. To correct this situation, use the ALTER DATABASE AUDIT
SPECIFICATION command to connect the orphaned audit specification to an existing server audit. Or, use the
CREATE SERVER AUDIT command to create a new server audit with the specified GUID.
You can attach a database that has an audit specification defined on it to another edition of SQL Server that does
not support SQL Server audit, such as SQL Server Express but it will not record audit events.
Database Mirroring and SQL Server Audit
A database that has a database audit specification defined and that uses database mirroring will include the
database audit specification. To work correctly on the mirrored SQL instance, the following items must be
configured:
The mirror server must have an audit with the same GUID to enable the database audit specification to
write audit records. This can be configured by using the command CREATE AUDIT WITH GUID=<GUID from
source Server Audit>.
For binary file targets, the mirror server service account must have appropriate permissions to the location
where the audit trail is being written.
For Windows event log targets, the security policy on the computer where the mirror server is located must
allow for service account access to the security or application event log.
Auditing Administrators
Members of the sysadmin fixed server role are identified as the dbo user in each database. To audit actions of the
administrators, audit the actions of the dbo user.
Creating and Managing Audits with Transact-SQL
You can use DDL statements, dynamic management views and functions, and catalog views to implement all
aspects of SQL Server Audit.
Data Definition Language Statements
You can use the following DDL statements to create, alter, and drop audit specifications:
ALTER AUTHORIZATION
CREATE SERVER AUDIT
ALTER DATABASE AUDIT SPECIFICATION
CREATE SERVER AUDIT SPECIFICATION
ALTER SERVER AUDIT
DROP DATABASE AUDIT SPECIFICATION
ALTER SERVER AUDIT SPECIFICATION
DROP SERVER AUDIT
CREATE DATABASE AUDIT SPECIFICATION
DROP SERVER AUDIT SPECIFICATION
Dynamic Views and Functions
The following table lists the dynamic views and function that you can use for SQL Server Auditing.
DYNAMIC VIEWS AND FUNCTIONS
DESCRIPTION
sys.dm_audit_actions
Returns a row for every audit action that can be reported in
the audit log and every audit action group that can be
configured as part of SQL Server Audit.
DYNAMIC VIEWS AND FUNCTIONS
DESCRIPTION
sys.dm_server_audit_status
Provides information about the current state of the audit.
sys.dm_audit_class_type_map
Returns a table that maps the class_type field in the audit log
to the class_desc field in sys.dm_audit_actions.
fn_get_audit_file
Returns information from an audit file created by a server
audit.
Catalog Views
The following table lists the catalog views that you can use for SQL Server auditing.
CATALOG VIEWS
DESCRIPTION
sys.database_ audit_specifications
Contains information about the database audit specifications
in a SQL Server audit on a server instance.
sys.database_audit_specification_details
Contains information about the database audit specifications
in a SQL Server audit on a server instance for all databases.
sys.server_audits
Contains one row for each SQL Server audit in a server
instance.
sys.server_audit_specifications
Contains information about the server audit specifications in a
SQL Server audit on a server instance.
sys.server_audit_specifications_details
Contains information about the server audit specification
details (actions) in a SQL Server audit on a server instance.
sys.server_file_audits
Contains stores extended information about the file audit
type in a SQL Server audit on a server instance.
Permissions
Each feature and command for SQL Server Audit has individual permission requirements.
To create, alter, or drop a Server Audit or Server Audit Specification, server principals require the ALTER ANY
SERVER AUDIT or the CONTROL SERVER permission. To create, alter, or drop a Database Audit Specification,
database principals require the ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission
on the database. In addition, principals must have permission to connect to the database, or ALTER ANY SERVER
AUDIT or CONTROL SERVER permissions.
The VIEW ANY DEFINITION permission provides access to view the server level audit views and VIEW DEFINITION
provides access to view the database level audit views. Denial of these permissions, overrides the ability to view
the catalog views, even if the principal has the ALTER ANY SERVER AUDIT or ALTER ANY DATABASE AUDIT
permissions.
For more information about how to grant rights and permissions, see GRANT (Transact-SQL).
Cau t i on
Principals in the sysadmin role can tamper with any audit component and those in the db_owner role can tamper
with audit specifications in a database. SQL Server Audit will validate that a logon that creates or alters an audit
specification has at least the ALTER ANY DATABASE AUDIT permission. However, it does no validation when you
attach a database. You should assume all Database Audit Specifications are only as trustworthy as those principals
in the sysadmin or db_owner role.
Related Tasks
Create a Server Audit and Server Audit Specification
Create a Server Audit and Database Audit Specification
View a SQL Server Audit Log
Write SQL Server Audit Events to the Security Log
Topics Closely Related to Auditing
Server Properties (Security Page)
Explains how to turn on login auditing for SQL Server. The audit records are stored in the Windows application log.
c2 audit mode Server Configuration Option
Explains the C2 security compliance auditing mode in SQL Server.
Security Audit Event Category (SQL Server Profiler)
Explains the audit events you can use in SQL Server Profiler. For more information, see SQL Server Profiler.
SQL Trace
Explains how SQL Trace can be used from within your own applications to create traces manually, instead of using
SQL Server Profiler.
DDL Triggers
Explains how you can use Data Definition Language (DDL) triggers to track changes to your databases.
Microsoft TechNet: SQL Server TechCenter: SQL Server 2005 Security and Protection
Provides up-to-date information about SQL Server security.
See Also
SQL Server Audit Action Groups and Actions
SQL Server Audit Records
SQL Server Audit Action Groups and Actions
3/24/2017 • 15 min to read • Edit Online
The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual
events. For more information, see SQL Server Audit (Database Engine).
SQL Server audits consist of zero or more audit action items. These audit action items can be either a group of
actions, such as Server_Object_Change_Group, or individual actions such as SELECT operations on a table.
NOTE
Server_Object_Change_Group includes CREATE, ALTER, and DROP for any server object (Database or Endpoint).
Audits can have the following categories of actions:
Server-level. These actions include server operations, such as management changes and logon and logoff
operations.
Database-level. These actions encompass data manipulation languages (DML) and data definition language
(DDL) operations.
Audit-level. These actions include actions in the auditing process.
Some actions performed on SQL Server auditing components are intrinsically audited in a specific audit,
and in these cases audit events occur automatically because the event occurred on the parent object.
The following actions are intrinsically audited:
Server Audit State Change (setting State to ON or OFF)
The following events are not intrinsically audited:
CREATE SERVER AUDIT SPECIFICATION
ALTER SERVER AUDIT SPECIFICATION
DROP SERVER AUDIT SPECIFICATION
CREATE DATABASE AUDIT SPECIFICATION
ALTER DATABASE AUDIT SPECIFICATION
DROP DATABASE AUDIT SPECIFICATION
All audits are disabled when initially created.
Server-Level Audit Action Groups
Server-level audit action groups are actions similar to SQL Server security audit event classes. For more
information, see SQL Server Event Class Reference.
The following table describes the server-level audit action groups and provides the equivalent SQL Server Event
Class where applicable.
ACTION GROUP NAME
DESCRIPTION
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
This event is raised whenever a password is changed for an
application role. Equivalent to the Audit App Role Change
Password Event Class.
AUDIT_CHANGE_GROUP
This event is raised whenever any audit is created, modified or
deleted. This event is raised whenever any audit specification
is created, modified, or deleted. Any change to an audit is
audited in that audit. Equivalent to the Audit Change Audit
Event Class.
BACKUP_RESTORE_GROUP
This event is raised whenever a backup or restore command is
issued. Equivalent to the Audit Backup and Restore Event
Class.
BROKER_LOGIN_GROUP
This event is raised to report audit messages related to
Service Broker transport security. Equivalent to the Audit
Broker Login Event Class.
DATABASE_CHANGE_GROUP
This event is raised when a database is created, altered, or
dropped. This event is raised whenever any database is
created, altered or dropped. Equivalent to the Audit Database
Management Event Class.
DATABASE_LOGOUT_GROUP
This event is raised when a contained database user logs out
of a database. Equivalent to the Audit Database Logout Event
Class.
DATABASE_MIRRORING_LOGIN_GROUP
This event is raised to report audit messages related to
database mirroring transport security. Equivalent to the Audit
Database Mirroring Login Event Class.
DATABASE_OBJECT_ACCESS_GROUP
This event is raised whenever database objects such as
message type, assembly, contract are accessed. This event is
raised for any access to any database. Note: This could
potentially lead to large audit records.
Equivalent to the Audit Database Object Access Event Class.
DATABASE_OBJECT_CHANGE_GROUP
This event is raised when a CREATE, ALTER, or DROP
statement is executed on database objects, such as schemas.
This event is raised whenever any database object is created,
altered or dropped. Note: This could lead to very large
quantities of audit records.
Equivalent to the Audit Database Object Management Event
Class.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
This event is raised when a change of owner for objects within
database scope. This event is raised for any object ownership
change in any database on the server. Equivalent to the Audit
Database Object Take Ownership Event Class.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
This event is raised when a GRANT, REVOKE, or DENY has
been issued for database objects, such as assemblies and
schemas. This event is raised for any object permission change
for any database on the server. Equivalent to the Audit
Database Object GDR Event Class.
ACTION GROUP NAME
DESCRIPTION
DATABASE_OPERATION_GROUP
This event is raised when operations in a database, such as
checkpoint or subscribe query notification, occur. This event is
raised on any database operation on any database. Equivalent
to the Audit Database Operation Event Class.
DATABASE_OWNERSHIP_CHANGE_GROUP
This event is raised when you use the ALTER
AUTHORIZATION statement to change the owner of a
database, and the permissions that are required to do that
are checked. This event is raised for any database ownership
change on any database on the server. Equivalent to the
Audit Change Database Owner Event Class.
DATABASE_PERMISSION_CHANGE_GROUP
This event is raised whenever a GRANT, REVOKE, or DENY is
issued for a statement permission by any principal in SQL
Server (This applies to database-only events, such as granting
permissions on a database).
This event is raised for any database permission change (GDR)
for any database in the server. Equivalent to the Audit
Database Scope GDR Event Class.
DATABASE_PRINCIPAL_CHANGE_GROUP
This event is raised when principals, such as users, are created,
altered, or dropped from a database. Equivalent to the Audit
Database Principal Management Event Class. (Also equivalent
to the Audit Add DB Principal Event Class, which occurs on
the deprecated sp_grantdbaccess, sp_revokedbaccess,
sp_addPrincipal, and sp_dropPrincipal stored procedures.)
This event is raised whenever a database role is added to or
removed by using the sp_addrole, sp_droprole stored
procedures. This event is raised whenever any database
principals are created, altered, or dropped from any database.
Equivalent to the Audit Add Role Event Class.
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
This event is raised when there is an impersonation operation
in the database scope such as EXECUTE AS <principal> or
SETPRINCIPAL. This event is raised for impersonations done in
any database. Equivalent to the Audit Database Principal
Impersonation Event Class.
DATABASE_ROLE_MEMBER_CHANGE_GROUP
This event is raised whenever a login is added to or removed
from a database role. This event class is raised for the
sp_addrolemember, sp_changegroup, and
sp_droprolemember stored procedures. This event is raised on
any Database role member change in any database.
Equivalent to the Audit Add Member to DB Role Event Class.
DBCC_GROUP
This event is raised whenever a principal issues any DBCC
command. Equivalent to the Audit DBCC Event Class.
FAILED_DATABASE_AUTHENTICATION_GROUP
Indicates that a principal tried to log on to a contained
database and failed. Events in this class are raised by new
connections or by connections that are reused from a
connection pool. Equivalent to the Audit Login Failed Event
Class.
ACTION GROUP NAME
DESCRIPTION
FAILED_LOGIN_GROUP
Indicates that a principal tried to log on to SQL Server and
failed. Events in this class are raised by new connections or by
connections that are reused from a connection pool.
Equivalent to the Audit Login Failed Event Class.
FULLTEXT_GROUP
Indicates fulltext event occurred. Equivalent to the Audit
Fulltext Event Class.
LOGIN_CHANGE_PASSWORD_GROUP
This event is raised whenever a login password is changed by
way of ALTER LOGIN statement or sp_password stored
procedure. Equivalent to the Audit Login Change Password
Event Class.
LOGOUT_GROUP
Indicates that a principal has logged out of SQL Server. Events
in this class are raised by new connections or by connections
that are reused from a connection pool. Equivalent to the
Audit Logout Event Class.
SCHEMA_OBJECT_ACCESS_GROUP
This event is raised whenever an object permission has been
used in the schema. Equivalent to the Audit Schema Object
Access Event Class.
SCHEMA_OBJECT_CHANGE_GROUP
This event is raised when a CREATE, ALTER, or DROP
operation is performed on a schema. Equivalent to the Audit
Schema Object Management Event Class.
This event is raised on schema objects. Equivalent to the Audit
Object Derived Permission Event Class.
This event is raised whenever any schema of any database
changes. Equivalent to the Audit Statement Permission Event
Class.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
This event is raised when the permissions to change the
owner of schema object (such as a table, procedure, or
function) is checked. This occurs when the ALTER
AUTHORIZATION statement is used to assign an owner to an
object. This event is raised for any schema ownership change
for any database on the server. Equivalent to the Audit
Schema Object Take Ownership Event Class.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
This event is raised whenever a grant, deny, revoke is
performed against a schema object. Equivalent to the Audit
Schema Object GDR Event Class.
SERVER_OBJECT_CHANGE_GROUP
This event is raised for CREATE, ALTER, or DROP operations
on server objects. Equivalent to the Audit Server Object
Management Event Class.
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP
This event is raised when the owner is changed for objects in
server scope. Equivalent to the Audit Server Object Take
Ownership Event Class.
SERVER_OBJECT_PERMISSION_CHANGE_GROUP
This event is raised whenever a GRANT, REVOKE, or DENY is
issued for a server object permission by any principal in SQL
Server. Equivalent to the Audit Server Object GDR Event Class.
ACTION GROUP NAME
DESCRIPTION
SERVER_OPERATION_GROUP
This event is raised when Security Audit operations such as
altering settings, resources, external access, or authorization
are used. Equivalent to the Audit Server Operation Event
Class.
SERVER_PERMISSION_CHANGE_GROUP
This event is raised when a GRANT, REVOKE, or DENY is
issued for permissions in the server scope, such as creating a
login. Equivalent to the Audit Server Scope GDR Event Class.
SERVER_PRINCIPAL_CHANGE_GROUP
This event is raised when server principals are created, altered,
or dropped. Equivalent to the Audit Server Principal
Management Event Class.
This event is raised when a principal issues the sp_defaultdb
or sp_defaultlanguage stored procedures or ALTER LOGIN
statements. Equivalent to the Audit Addlogin Event Class.
This event is raised on the sp_addlogin and sp_droplogin
stored procedures. Also equivalent to the Audit Login Change
Property Event Class.
This event is raised for the sp_grantlogin or sp_revokelogin
stored procedures. Equivalent to the Audit Login GDR Event
Class.
SERVER_PRINCIPAL_IMPERSONATION_GROUP
This event is raised when there is an impersonation within
server scope, such as EXECUTE AS <login>. Equivalent to the
Audit Server Principal Impersonation Event Class.
SERVER_ROLE_MEMBER_CHANGE_GROUP
This event is raised whenever a login is added or removed
from a fixed server role. This event is raised for the
sp_addsrvrolemember and sp_dropsrvrolemember stored
procedures. Equivalent to the Audit Add Login to Server Role
Event Class.
SERVER_STATE_CHANGE_GROUP
This event is raised when the SQL Server service state is
modified. Equivalent to the Audit Server Starts and Stops
Event Class.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP
Indicates that a principal successfully logged in to a contained
database. Equivalent to the Audit Successful Database
Authentication Event Class.
SUCCESSFUL_LOGIN_GROUP
Indicates that a principal has successfully logged in to SQL
Server. Events in this class are raised by new connections or
by connections that are reused from a connection pool.
Equivalent to the Audit Login Event Class.
TRACE_CHANGE_GROUP
This event is raised for all statements that check for the ALTER
TRACE permission. Equivalent to the Audit Server Alter Trace
Event Class.
ACTION GROUP NAME
DESCRIPTION
TRANSACTION_GROUP
This event is raised for BEGIN TRANSACTION, ROLLBACK
TRANSACTION, and COMMIT TRANSACTION operations,
both for explicit calls to those statements and implicit
transaction operations. This event is also raised for UNDO
operations for individual statements caused by the rollback of
a transaction.
USER_CHANGE_PASSWORD_GROUP
This event is raised whenever the password of a contained
database user is changed by using the ALTER USER
statement.
USER_DEFINED_AUDIT_GROUP
This group monitors events raised by using sp_audit_write
(Transact-SQL). Typically triggers or stored procedures include
calls to sp_audit_write to enable auditing of important
events.
Considerations
Server-level action groups cover actions across a SQL Server instance. For example, any schema object access
check in any database is recorded if the appropriate action group is added to a server audit specification. In a
database audit specification, only schema object accesses in that database are recorded.
Server-level actions do not allow for detailed filtering on database-level actions. A database-level audit, such as
audit of SELECT actions on the Customers table for logins in the Employee group is required to implement
detailed action filtering. Do not include server-scoped objects, such as the system views, in a user database audit
specification.
Database-Level Audit Action Groups
Database-Level Audit Action Groups are actions similar to SQL Server Security Audit Event classes. For more
information about event classes, see SQL Server Event Class Reference.
The following table describes the database-level audit action groups and provides their equivalent SQL Server
Event Class where applicable.
ACTION GROUP NAME
DESCRIPTION
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP
This event is raised whenever a password is changed for an
application role. Equivalent to the Audit App Role Change
Password Event Class.
AUDIT_CHANGE_GROUP
This event is raised whenever any audit is created, modified or
deleted. This event is raised whenever any audit specification
is created, modified, or deleted. Any change to an audit is
audited in that audit. Equivalent to the Audit Change Audit
Event Class.
BACKUP_RESTORE_GROUP
This event is raised whenever a backup or restore command is
issued. Equivalent to the Audit Backup and Restore Event
Class.
DATABASE_CHANGE_GROUP
This event is raised when a database is created, altered, or
dropped. Equivalent to the Audit Database Management
Event Class.
ACTION GROUP NAME
DESCRIPTION
DATABASE_LOGOUT_GROUP
This event is raised when a contained database user logs out
of a database. Equivalent to the Audit Backup and Restore
Event Class.
DATABASE_OBJECT_ACCESS_GROUP
This event is raised whenever database objects such as
certificates and asymmetric keys are accessed. Equivalent to
the Audit Database Object Access Event Class.
DATABASE_OBJECT_CHANGE_GROUP
This event is raised when a CREATE, ALTER, or DROP
statement is executed on database objects, such as schemas.
Equivalent to the Audit Database Object Management Event
Class.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP
This event is raised when a change of owner for objects within
database scope occurs. Equivalent to the Audit Database
Object Take Ownership Event Class.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP
This event is raised when a GRANT, REVOKE, or DENY has
been issued for database objects, such as assemblies and
schemas. Equivalent to the Audit Database Object GDR Event
Class.
DATABASE_OPERATION_GROUP
This event is raised when operations in a database, such as
checkpoint or subscribe query notification, occur. Equivalent
to the Audit Database Operation Event Class.
DATABASE_OWNERSHIP_CHANGE_GROUP
This event is raised when you use the ALTER
AUTHORIZATION statement to change the owner of a
database, and the permissions that are required to do that
are checked. Equivalent to the Audit Change Database Owner
Event Class.
DATABASE_PERMISSION_CHANGE_GROUP
This event is raised whenever a GRANT, REVOKE, or DENY is
issued for a statement permission by any user in SQL Server
for database-only events such as granting permissions on a
database. Equivalent to the Audit Database Scope GDR Event
Class.
DATABASE_PRINCIPAL_CHANGE_GROUP
This event is raised when principals, such as users, are created,
altered, or dropped from a database. Equivalent to the Audit
Database Principal Management Event Class. Also equivalent
to the Audit Add DB User Event Class, which occurs on
deprecated sp_grantdbaccess, sp_revokedbaccess, sp_adduser,
and sp_dropuser stored procedures.
This event is raised whenever a database role is added to or
removed using deprecated sp_addrole and sp_droprole stored
procedures. Equivalent to the Audit Add Role Event Class.
DATABASE_PRINCIPAL_IMPERSONATION_GROUP
This event is raised when there is an impersonation within
database scope such as EXECUTE AS <user>. Equivalent to
the Audit Database Principal Impersonation Event Class.
ACTION GROUP NAME
DESCRIPTION
DATABASE_ROLE_MEMBER_CHANGE_GROUP
This event is raised whenever a login is added to or removed
from a database role. This event class is used with the
sp_addrolemember, sp_changegroup, and
sp_droprolemember stored procedures.Equivalent to the
Audit Add Member to DB Role Event Class
DBCC_GROUP
This event is raised whenever a principal issues any DBCC
command. Equivalent to the Audit DBCC Event Class.
FAILED_DATABASE_AUTHENTICATION_GROUP
Indicates that a principal tried to log on to a contained
database and failed. Events in this class are raised by new
connections or by connections that are reused from a
connection pool. This event is raised.
SCHEMA_OBJECT_ACCESS_GROUP
This event is raised whenever an object permission has been
used in the schema. Equivalent to the Audit Schema Object
Access Event Class.
SCHEMA_OBJECT_CHANGE_GROUP
This event is raised when a CREATE, ALTER, or DROP
operation is performed on a schema. Equivalent to the Audit
Schema Object Management Event Class.
This event is raised on schema objects. Equivalent to the Audit
Object Derived Permission Event Class. Also equivalent to the
Audit Statement Permission Event Class.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
This event is raised when the permissions to change the
owner of schema object such as a table, procedure, or
function is checked. This occurs when the ALTER
AUTHORIZATION statement is used to assign an owner to an
object. Equivalent to the Audit Schema Object Take
Ownership Event Class.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
This event is raised whenever a grant, deny, or revoke is
issued for a schema object. Equivalent to the Audit Schema
Object GDR Event Class.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP
Indicates that a principal successfully logged in to a contained
database. Equivalent to the Audit Successful Database
Authentication Event Class.
USER_CHANGE_PASSWORD_GROUP
This event is raised whenever the password of a contained
database user is changed by using the ALTER USER
statement.
USER_DEFINED_AUDIT_GROUP
This group monitors events raised by using sp_audit_write
(Transact-SQL).
Database-Level Audit Actions
Database-level actions support the auditing of specific actions directly on database schema and schema objects,
such as Tables, Views, Stored Procedures, Functions, Extended Stored Procedures, Queues, Synonyms. Types, XML
Schema Collection, Database, and Schema are not audited. The audit of schema objects may be configured on
Schema and Database, which means that events on all schema objects contained by the specified schema or
database will be audited. The following table describes database-level audit actions.
ACTION
DESCRIPTION
SELECT
This event is raised whenever a SELECT is issued.
UPDATE
This event is raised whenever an UPDATE is issued.
INSERT
This event is raised whenever an INSERT is issued.
DELETE
This event is raised whenever a DELETE is issued.
EXECUTE
This event is raised whenever an EXECUTE is issued.
RECEIVE
This event is raised whenever a RECEIVE is issued.
REFERENCES
This event is raised whenever a REFERENCES permission is
checked.
Considerations
Database-level audit actions do not apply to Columns.
When the query processor parameterizes the query, the parameter can appear in the audit event log
instead of the column values of the query.
RPC statements are not logged.
Audit-Level Audit Action Groups
You can also audit the actions in the auditing process. This can be in the server scope or the database scope. In the
database scope, it only occurs for database audit specifications. The following table describes audit-level audit
action groups.
ACTION GROUP NAME
DESCRIPTION
AUDIT_ CHANGE_GROUP
This event is raised whenever one of the following commands
are issued:
CREATE SERVER AUDIT
ALTER SERVER AUDIT
DROP SERVER AUDIT
CREATE SERVER AUDIT SPECIFICATION
ALTER SERVER AUDIT SPECIFICATION
DROP SERVER AUDIT SPECIFICATION
CREATE DATABASE AUDIT SPECIFICATION
ALTER DATABASE AUDIT SPECIFICATION
DROP DATABASE AUDIT SPECIFICATION
Related Content
Create a Server Audit and Server Audit Specification
Create a Server Audit and Database Audit Specification
CREATE SERVER AUDIT (Transact-SQL)
ALTER SERVER AUDIT (Transact-SQL)
DROP SERVER AUDIT (Transact-SQL)
CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)
ALTER SERVER AUDIT SPECIFICATION (Transact-SQL)
DROP SERVER AUDIT SPECIFICATION (Transact-SQL)
CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL)
DROP DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER AUTHORIZATION (Transact-SQL)
sys.fn_get_audit_file (Transact-SQL)
sys.server_audits (Transact-SQL)
sys.server_file_audits (Transact-SQL)
sys.server_audit_specifications (Transact-SQL)
sys.server_audit_specification_details (Transact-SQL)
sys.database_audit_specifications (Transact-SQL)
sys.database_audit_specification_details (Transact-SQL)
sys.dm_server_audit_status (Transact-SQL)
sys.dm_audit_actions (Transact-SQL)
sys.dm_audit_class_type_map (Transact-SQL)
SQL Server Audit Records
3/24/2017 • 3 min to read • Edit Online
The SQL Server Audit feature enables you to audit server-level and database-level groups of events and events. For
more information, see SQL Server Audit (Database Engine). SQL Server.
Audits consist of zero or more audit action items, which are recorded to an audit target. The audit target can be a
binary file, the Windows Application event log or the Windows Security event log. The records sent to the target
can contain the elements described in the following table.
COLUMN NAME
DESCRIPTION
TYPE
ALWAYS AVAILABLE
event_time
Date/time when the
auditable action is fired.
datetime2
Yes
sequence_no
Tracks the sequence of
records within a single audit
record that was too large to
fit in the write buffer for
audits.
int
Yes
action_id
ID of the action
varchar(4)
Yes
Tip: To use action_id as a
predicate it must be
converted from a character
string to a numeric value.
For more information, see
Filter SQL Server Audit on
action_id / class_type
predicate.
succeeded
Indicates if the action that
triggered the event
succeeded
bit – 1 = Success, 0 = Fail
Yes
permission_bitmask
When applicable, shows the
permissions that were
granted, denied, or revoked
bigint
No
is_column_permission
Flag indicating a column
level permission
bit – 1 = True, 0 = False
No
session_id
ID of the session on which
the event occurred.
int
Yes
server_principal_id
ID of the login context that
the action is performed in.
int
Yes
database_principal_id
ID of the database user
context that the action is
performed in.
int
No
COLUMN NAME
DESCRIPTION
TYPE
ALWAYS AVAILABLE
object_ id
The primary ID of the entity
on which the audit occurred.
This includes:
int
No
server objects
databases
database objects
schema objects
target_server_principal_id
Server principal that the
auditable action applies to.
int
Yes
target_database_principal
_id
Database principal that the
auditable action applies to.
int
No
class_type
Type of auditable entity that
the audit occurs on.
varchar(2)
Yes
session_server_principal_n
ame
Server principal for the
session.
sysname
Yes
server_principal_name
Current login.
sysname
Yes
server_principal_sid
Current login SID.
varbinary
Yes
database_principal_name
Current user.
sysname
No
target_server_principal_na
me
Target login of the action.
sysname
No
target_server_principal_si
d
SID of the target login.
varbinary
No
target_database_principal
_name
Target user of the action.
sysname
No
server_instance_name
Name of the server instance
where the audit occurred.
Uses the standard
machine\instance format.
nvarchar(120)
Yes
database_name
The database context in
which the action occurred.
sysname
No
schema_name
The schema context in which
the action occurred.
sysname
No
COLUMN NAME
DESCRIPTION
TYPE
ALWAYS AVAILABLE
object_name
The name of the entity on
which the audit occurred.
This includes:
sysname
No
server objects
databases
database objects
schema objects
TSQL statement (if any)
statement
TSQL statement (if any)
nvarchar(4000)
No
additional_information
Any additional information
about the event, stored as
XML.
nvarchar(4000)
No
Remarks
Some actions do not populate a column's value because it might be non-applicable to the action.
SQL Server Audit stores 4000 characters of data for character fields in an audit record. When the
additional_information and statement values returned from an auditable action return more than 4000
characters, the sequence_no column is used to write multiple records into the audit report for a single audit
action to record this data. The process is as follows:
The statement column is divided into 4000 characters.
SQL Server Audit writes as the first row for the audit record with the partial data. All the other fields are
duplicated in each row.
The sequence_no value is incremented.
This process is repeated until all the data is recorded.
You can connect the data by reading the rows sequentially using the sequence_no value, and the
event_Time, action_id and session_id columns to identify the action.
Related Content
CREATE SERVER AUDIT (Transact-SQL)
ALTER SERVER AUDIT (Transact-SQL)
DROP SERVER AUDIT (Transact-SQL)
CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)
ALTER SERVER AUDIT SPECIFICATION (Transact-SQL)
DROP SERVER AUDIT SPECIFICATION (Transact-SQL)
CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL)
DROP DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER AUTHORIZATION (Transact-SQL)
sys.fn_get_audit_file (Transact-SQL)
sys.server_audits (Transact-SQL)
sys.server_file_audits (Transact-SQL)
sys.server_audit_specifications (Transact-SQL)
sys.server_audit_specification_details (Transact-SQL)
sys.database_audit_specifications (Transact-SQL)
sys.database_audit_specification_details (Transact-SQL)
sys.dm_server_audit_status (Transact-SQL)
sys.dm_audit_actions (Transact-SQL)
sys.dm_audit_class_type_map (Transact-SQL)
Create a Server Audit and Server Audit Specification
3/24/2017 • 6 min to read • Edit Online
This topic describes how to create a server audit and server audit specification in SQL Server 2016 by using SQL
Server Management Studio or Transact-SQL. Auditing an instance of SQL Server or a SQL Server database
involves tracking and logging events that occur on the system. The SQL Server Audit object collects a single
instance of server- or database-level actions and groups of actions to monitor. The audit is at the SQL Server
instance level. You can have multiple audits per SQL Server instance. The Server Audit Specification object belongs
to an audit. You can create one server audit specification per audit, because both are created at the SQL Server
instance scope. For more information, see SQL Server Audit (Database Engine).
In This Topic
Before you begin:
Limitations and Restrictions
Security
To create a server audit and server audit specification, using:
SQL Server Management Studio
Transact-SQL
Before You Begin
Limitations and Restrictions
An audit must exist before creating a server audit specification for it. When a server audit specification is
created, it is in a disabled state.
The CREATE SERVER AUDIT statement is in a transaction's scope. If the transaction is rolled back, the
statement is also rolled back.
Security
Permissions
To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL
SERVER permission.
Users with the ALTER ANY SERVER AUDIT permission can create server audit specifications and bind them
to any audit.
After a server audit specification is created, it can be viewed by principals with the CONTROL SERVER or
ALTER ANY SERVER AUDIT permissions, the sysadmin account, or principals having explicit access to the
audit.
Using SQL Server Management Studio
To create a server audit
1. In Object Explorer, expand the Security folder.
2. Right-click the Audits folder and select New Audit….
The following options are available on the General page of the Create Audit dialog box.
Audit name
The name of the audit. This is generated automatically when you create a new audit but is editable.
Queue delay (in milliseconds)
Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed.
A value of 0 indicates synchronous delivery. The default minimum value is 1000 (1 second). The maximum
is 2,147,483,647 (2,147,483.647 seconds or 24 days, 20 hours, 31 minutes, 23.647 seconds).
On Audit Log Failure:
Continue
SQL Server operations continue. Audit records are not retained. The audit continues to attempt to log
events and will resume if the failure condition is resolved. Selecting the Continue option can allow
unaudited activity which could violate your security policies. Select this option when continuing operation
of the Database Engine is more important than maintaining a complete audit. This is the default selection.
Shut down server
Forces a server shut down when the server instance writing to the target cannot write data to the audit
target. The login issuing this must have the SHUTDOWN permission. If the logon does not have this
permission, this function will fail and an error message will be raised. No audited events occur. Select this
option when an audit failure could compromise the security or integrity of the system.
Fail operation
In cases where the SQL Server Audit cannot write to the audit log this option causes database actions to fail
if they would otherwise cause audited events. No audited events occur. Actions which do not cause audited
events can continue. The audit continues to attempt to log events and will resume if the failure condition is
resolved. Select this option when maintaining a complete audit is more important than full access to the
Database Engine.
IMPORTANT
When the audit is in a failed state, the Dedicated Administrator Connection can continue to perform audited events.
Audit destination list
Specifies the target for auditing data. The available options are a binary file, the Windows Application log, or
the Windows Security log. SQL Server cannot write to the Windows Security log without configuring
additional settings in Windows. For more information, see Write SQL Server Audit Events to the Security
Log.
File path
Specifies the location of the folder where audit data is written when the Audit destination is a file.
Ellipsis (…)
Opens the Locate Folder –server_name dialog box to specify a file path or create a folder where the audit
file is written.
Audit File Maximum Limit:
Maximum rollover files
Specifies that, when the maximum number of audit files is reached, the oldest audit files are overwritten by
new file content.
Maximum files
Specifies that, when the maximum number of audit files is reached, any action that causes additional audit
events to be generated will fail with an error.
Unlimited check box
When the Unlimited check box under Maximum rollover files is selected, there is no limit imposed on
the number of audit files that will be created. The Unlimited check box is selected by default and applies to
both the Maximum rollover files and Maximum files selections.
Number of files box
Specifies the number of audit files to be created, up to 2,147,483,647. This option is only available if
Unlimited is unchecked.
Maximum file size
Specifies the maximum size for an audit file in either megabytes (MB), gigabytes (GB), or terabytes (TB). You
can specify between 1024 MB and 2,147,483,647 TB. Selecting the Unlimited check box does not place a
limit on the size of the file. Specifying a value lower than 1024 MB will fail, returning an error. The
Unlimited check box is selected by default.
Reserve disk space check box
Specifies that space is pre-allocated on the disk equal to the specified maximum file size. This setting can
only be used if the Unlimited check box under Maximum file size is not selected. This check box is not
selected by default.
3. Optionally, on the Filter page, enter a predicate, or WHERE clause, to the server audit to specify additional
options not available from the General page. Enclose the predicate in parentheses; for example:
(object_name = 'EmployeesTable') .
4. When you are finished selecting options, click OK.
To create a server audit specification
1. In Object Explorer, click the plus sign to expand the Security folder.
2. Right-click the Server Audit Specifications folder and select New Server Audit Specification….
The following options are available on the Create Server Audit Specification dialog box.
Name
The name of the server audit specification. This is generated automatically when you create a new server
audit specification but is editable.
Audit
The name of an existing server audit. Either type in the name of the audit or select it from the list.
Audit Action Type
Specifies the server-level audit action groups and audit actions to capture. For the list of server-level audit
action groups and audit actions and a description of the events they contain, see SQL Server Audit Action
Groups and Actions.
Object Schema
Displays the schema for the specified Object Name.
Object Name
The name of the object to audit. This is only available for audit actions; it does not apply to audit groups.
Ellipsis (…)
Opens the Select Objects dialog to browse for and select an available object, based on the specified Audit
Action Type.
Principal Name
The account to filter the audit by for the object being audited.
Ellipsis (…)
Opens the Select Objects dialog to browse for and select an available object, based on the specified
Object Name.
3. When you are finished, click OK.
Using Transact-SQL
To create a server audit
1. In Object Explorer, connect to an instance of Database Engine.
2. On the Standard bar, click New Query.
3. Copy and paste the following example into the query window and click Execute.
-- Creates a server audit called "HIPPA_Audit" with a binary file as the target and no options.
CREATE SERVER AUDIT HIPAA_Audit
TO FILE ( FILEPATH ='\\SQLPROD_1\Audit\' );
To create a server audit specification
1. In Object Explorer, connect to an instance of Database Engine.
2. On the Standard bar, click New Query.
3. Copy and paste the following example into the query window and click Execute.
/*Creates a server audit specification called "HIPPA_Audit_Specification" that audits failed logins for
the SQL Server audit "HIPPA_Audit" created above.
*/
CREATE SERVER AUDIT SPECIFICATION HIPPA_Audit_Specification
FOR SERVER AUDIT HIPPA_Audit
ADD (FAILED_LOGIN_GROUP);
GO
-- Enables the audit.
ALTER SERVER AUDIT HIPAA_Audit
WITH (STATE = ON);
GO
For more information, see CREATE SERVER AUDIT (Transact-SQL) and CREATE SERVER AUDIT
SPECIFICATION (Transact-SQL).
Create a Server Audit and Database Audit
Specification
3/24/2017 • 3 min to read • Edit Online
This topic describes how to create a server audit and database audit specification in SQL Server 2016 by using SQL
Server Management Studio or Transact-SQL.
Auditing an instance of SQL Server or a SQL Server database involves tracking and logging events that occur on
the system. The SQL Server Audit object collects a single instance of server- or database-level actions and groups
of actions to monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server
instance. The Database-Level Audit Specification object belongs to an audit. You can create one database audit
specification per SQL Server database per audit. For more information, see SQL Server Audit (Database Engine).
In This Topic
Before you begin:
Limitations and Restrictions
Security
To create a server audit and database audit specification, using:
SQL Server Management Studio
Transact-SQL
Before You Begin
Limitations and Restrictions
Database audit specifications are non-securable objects that reside in a given database. When a database audit
specification is created, it is in a disabled state.
When you are creating or modifying a database audit specification in a user database, do not include audit actions
on server-scope objects, such as the system views. If server-scoped objects are included, the audit will be created.
However, the server-scoped objects will not be included, and no error will be returned. To audit server-scope
objects, use a database audit specification in the master database.
Database audit specifications reside in the database where they are created, with the exception of the tempdb
system database.
Security
Permissions
Users with the ALTER ANY DATABASE AUDIT permission can create database audit specifications and bind
them to any audit.
After a database audit specification is created, it can be viewed by principals with the CONTROL SERVER,
ALTER ANY DATABASE AUDIT permissions, or the sysadmin account.
Using SQL Server Management Studio
To create a server audit
1. In Object Explorer, expand the Security folder.
2. Right-click the Audits folder and select New Audit…. For more information, see Create a Server Audit and
Server Audit Specification.
3. When you are finished selecting options, click OK.
To create a database-level audit specification
1. In Object Explorer, expand the database where you want to create an audit specification.
2. Expand the Security folder.
3. Right-click the Database Audit Specifications folder and select New Database Audit Specification….
The following options are available on the Create Database Audit Specification dialog box.
Name
The name of the database audit specification. This is generated automatically when you create a new server
audit specification but is editable.
Audit
The name of an existing database audit. Either type in the name of the audit or select it from the list.
Audit Action Type
Specifies the database-level audit action groups and audit actions to capture. For the list of database-level
audit action groups and audit actions and a description of the events they contain, see SQL Server Audit
Action Groups and Actions.
Object Schema
Displays the schema for the specified Object Name.
Object Name
The name of the object to audit. This is only available for audit actions; it does not apply to audit groups.
Ellipsis (…)
Opens the Select Objects dialog to browse for and select an available object, based on the specified Audit
Action Type.
Principal Name
The account to filter the audit by for the object being audited.
Ellipsis (…)
Opens the Select Objects dialog to browse for and select an available object, based on the specified
Object Name.
4. When you are finished selecting option, click OK.
Using Transact-SQL
To create a server audit
1. In Object Explorer, connect to an instance of Database Engine.
2. On the Standard bar, click New Query.
3. Copy and paste the following example into the query window and click Execute.
USE master ;
GO
-- Create the server audit.
CREATE SERVER AUDIT Payrole_Security_Audit
TO FILE ( FILEPATH =
'C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\DATA' ) ;
GO
-- Enable the server audit.
ALTER SERVER AUDIT Payrole_Security_Audit
WITH (STATE = ON) ;
To create a database-level audit specification
1. In Object Explorer, connect to an instance of Database Engine.
2. On the Standard bar, click New Query.
3. Copy and paste the following example into the query window and click Execute. The example creates a
database audit specification called Audit_Pay_Tables that audits SELECT and INSERT statements by the dbo
user, for the HumanResources.EmployeePayHistory table based on the server audit defined above.
USE AdventureWorks2012 ;
GO
-- Create the database audit specification.
CREATE DATABASE AUDIT SPECIFICATION Audit_Pay_Tables
FOR SERVER AUDIT Payrole_Security_Audit
ADD (SELECT , INSERT
ON HumanResources.EmployeePayHistory BY dbo )
WITH (STATE = ON) ;
GO
For more information, see CREATE SERVER AUDIT (Transact-SQL) and CREATE DATABASE AUDIT
SPECIFICATION (Transact-SQL).
View a SQL Server Audit Log
3/24/2017 • 1 min to read • Edit Online
This topic describes how to view a SQL Server audit log in SQL Server 2016 by using SQL Server Management
Studio.
In This Topic
Before you begin:
Security
To view a SQL Server audit log, using:
SQL Server Management Studio
Before You Begin
Security
Permissions
Requires the CONTROL SERVER permission.
Using SQL Server Management Studio
To view a SQL Server audit log
1. In Object Explorer, expand the Security folder.
2. Expand the Audits folder.
3. Right-click the audit log that you want to view and select View Audit Logs. This opens the Log File Viewer
–server_name dialog box. For more information, see Log File Viewer F1 Help.
4. When finished, click Close.
Microsoft recommends viewing the audit log by using the Log File Viewer. However, if you are creating an
automated monitoring system, the information in the audit file can be read directly by using the
sys.fn_get_audit_file (Transact-SQL) function. Reading the file directly returns data in a slightly different
(unprocessed) format. See sys.fn_get_audit_file for more information.
See Also
SQL Server Audit (Database Engine)
Write SQL Server Audit Events to the Security Log
Write SQL Server Audit Events to the Security Log
3/24/2017 • 3 min to read • Edit Online
In a high security environment, the Windows Security log is the appropriate location to write events that record
object access. Other audit locations are supported but are more subject to tampering.
There are two key requirements for writing SQL Server server audits to the Windows Security log:
The audit object access setting must be configured to capture the events. The audit policy tool (
auditpol.exe ) exposes a variety of sub-policies settings in the audit object access category. To allow SQL
Server to audit object access, configure the application generated setting.
The account that the SQL Server service is running under must have the generate security audits
permission to write to the Windows Security log. By default, the LOCAL SERVICE and the NETWORK
SERVICE accounts have this permission. This step is not required if SQL Server is running under one of
those accounts.
The Windows audit policy can affect SQL Server auditing if it is configured to write to the Windows Security
log, with the potential of losing events if the audit policy is incorrectly configured. Typically, the Windows
Security log is set to overwrite the older events. This preserves the most recent events. However, if the
Windows Security log is not set to overwrite older events, then if the Security log is full, the system will
issue Windows event 1104 (Log is full). At that point:
No further security events will be recorded
SQL Server will not be able to detect that the system is not able to record the events in the Security log,
resulting in the potential loss of audit events
After the box administrator fixes the Security log, the logging behavior will return to normal.
In This Topic
Before you begin:
Limitations and Restrictions
Security
To write SQL Server audit events to the Security Log:
Configure the audit object access setting in Windows using auditpol
Configure the audit object access setting in Windows using secpol
Grant the generate security audits permission to an account using secpol
Before You Begin
Limitations and Restrictions
Administrators of the SQL Server computer should understand that local settings for the Security log can be
overwritten by a domain policy. In this case, the domain policy might overwrite the subcategory setting (auditpol
/get /subcategory:"application generated"). This can affect SQL Server ability to log events without having
any way to detect that the events that SQL Server is trying to audit are not going to be recorded.
Security
Permissions
You must be a Windows administrator to configure these settings.
To configure the audit object access setting in Windows using auditpol
1. Open a command prompt with administrative permissions.
a. On the Start menu, point to All Programs, point to Accessories, right-click Command Prompt,
and then click Run as administrator.
b. If the User Account Control dialog box opens, click Continue.
2. Execute the following statement to enable auditing from SQL Server.
auditpol /set /subcategory:"application generated" /success:enable /failure:enable
3. Close the command prompt window.
To grant the generate security audits permission to an account using
secpol
1. For any Windows operating system, on the Start menu, click Run.
2. Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue.
3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click User
Rights Assignment.
4. In the results pane, double-click Generate security audits.
5. On the Local Security Setting tab, click Add User or Group.
6. In the Select Users, Computers, or Groups dialog box, either type the name of the user account, such as
domain1\user1 and then click OK, or click Advanced and search for the account.
7. Click OK.
8. Close the Security Policy tool.
9. Restart SQL Server to enable this setting.
To configure the audit object access setting in Windows using secpol
1. If the operating system is earlier than Windows Vista or Windows Server 2008, on the Start menu, click
Run.
2. Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue.
3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click Audit
Policy.
4. In the results pane, double-click Audit object access.
5. On the Local Security Setting tab, in the Audit these attempts area, select both Success and Failure.
6. Click OK.
7. Close the Security Policy tool.
See Also
SQL Server Audit (Database Engine)
Related documents
Lesson 7 Marketing Audit
Lesson 7 Marketing Audit
Slide 1
Slide 1
Auditor Senior IT Ad 4 3 2017
Auditor Senior IT Ad 4 3 2017
A guide for developing a marketing plan
A guide for developing a marketing plan
Gynaecology Audits 2010/11
Gynaecology Audits 2010/11
Audit Committee 18 September 2012
Audit Committee 18 September 2012
Assessing the Degree of Implementation of SIGN 77:
Assessing the Degree of Implementation of SIGN 77:
Communication Audits
Communication Audits
Data Mining
Data Mining
CHAPTER 13: The Dynamic Business Environment: analysis and
CHAPTER 13: The Dynamic Business Environment: analysis and
Strategic MKT
Strategic MKT