Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Extensible Storage Engine wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft Access wikipedia , lookup
Concurrency control wikipedia , lookup
Team Foundation Server wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Relational model wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Database model wikipedia , lookup
Table of Contents Overview Action Groups and Actions Audit Records Create a Server Audit and Server Audit Specification Create a Server Audit and Database Audit Specification View a SQL Server Audit Log Write SQL Server Audit Events to the Security Log SQL Server Audit (Database Engine) 4/29/2017 • 12 min to read • Edit Online THIS TOPIC APPLIES TO: SQL Server (starting with 2008) Azure SQL Database Azure SQL Data Warehouse Parallel Data Warehouse Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. Audited events can be written to the event logs or to audit files. There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. SQL Server Audit provides the tools and processes you must have to enable, store, and view audits on various server and database objects. You can record server audit action groups per-instance, and either database audit action groups or database audit actions per database. The audit event will occur every time that the auditable action is encountered. All editions of SQL Server support server level audits. All editions support database level audits beginning with SQL Server 2016 SP1. Prior to that, database level auditing was limited to Enterprise, Developer, and Evaluation editions. For more information, see Features Supported by the Editions of SQL Server 2016. NOTE This topic applies to SQL Server. For SQL Database, see Get started with SQL database auditing. SQL Server Audit Components An audit is the combination of several elements into a single package for a specific group of server actions or database actions. The components of SQL Server audit combine to produce an output that is called an audit, just as a report definition combined with graphics and data elements produces a report. SQL Server audit uses Extended Events to help create an audit. For more information about Extended Events, see Extended Events. SQL Server Audit The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server instance. When you define an audit, you specify the location for the output of the results. This is the audit destination. The audit is created in a disabled state, and does not automatically audit any actions. After the audit is enabled, the audit destination receives data from the audit. Server Audit Specification The Server Audit Specification object belongs to an audit. You can create one server audit specification per audit, because both are created at the SQL Server instance scope. The server audit specification collects many server-level action groups raised by the Extended Events feature. You can include audit action groups in a server audit specification. Audit action groups are predefined groups of actions, which are atomic events occurring in the Database Engine. These actions are sent to the audit, which records them in the target. Server-level audit action groups are described in the topic SQL Server Audit Action Groups and Actions. Database Audit Specification The Database Audit Specification object also belongs to a SQL Server audit. You can create one database audit specification per SQL Server database per audit. The database audit specification collects database-level audit actions raised by the Extended Events feature. You can add either audit action groups or audit events to a database audit specification. Audit events are the atomic actions that can be audited by the SQL Server engine. Audit action groups are predefined groups of actions. Both are at the SQL Server database scope. These actions are sent to the audit, which records them in the target. Do not include server-scoped objects, such as the system views, in a user database audit specification. Database-level audit action groups and audit actions are described in the topic SQL Server Audit Action Groups and Actions. Target The results of an audit are sent to a target, which can be a file, the Windows Security event log, or the Windows Application event log. Logs must be reviewed and archived periodically to make sure that the target has sufficient space to write additional records. IMPORTANT Any authenticated user can read and write to the Windows Application event log. The Application event log requires lower permissions than the Windows Security event log and is less secure than the Windows Security event log. Writing to the Windows Security log requires the SQL Server service account to be added to the Generate security audits policy. By default, the Local System, Local Service, and Network Service are part of this policy. This setting can be configured by using the security policy snap-in (secpol.msc). Additionally, the Audit object access security policy must be enabled for both Success and Failure. This setting can be configured by using the security policy snap-in (secpol.msc). In Windows Vista or Windows Server 2008, you can set the more granular application generated policy from the command line by using the audit policy program (AuditPol.exe). For more information about the steps to enable writing to the Windows Security log, see Write SQL Server Audit Events to the Security Log. For more information about the Auditpol.exe program, see Knowledge Base article 921469, How to use Group Policy to configure detailed security auditing. The Windows event logs are global to the Windows operating system. For more information about the Windows event logs, see Event Viewer Overview. If you need more precise permissions on the audit, use the binary file target. When you are saving audit information to a file, to help prevent tampering, you can restrict access to the file location in the following ways: The SQL Server Service Account must have both Read and Write permission. Audit Administrators typically require Read and Write permission. This assumes that the Audit Administrators are Windows accounts for administration of audit files, such as: copying them to different shares, backing them up, and so on. Audit Readers that are authorized to read audit files must have Read permission. Even when the Database Engine is writing to a file, other Windows users can read the audit file if they have permission. The Database Engine does not take an exclusive lock that prevents read operations. Because the Database Engine can access the file, SQL Server logins that have CONTROL SERVER permission can use the Database Engine to access the audit files. To record any user that is reading the audit file, define an audit on master.sys.fn_get_audit_file. This records the logins with CONTROL SERVER permission that have accessed the audit file through SQL Server. If an Audit Administrator copies the file to a different location (for archive purposes, and so on), the ACLs on the new location should be reduced to the following permissions: Audit Administrator – Read / Write Audit Reader – Read We recommend that you generate audit reports from a separate instance of SQL Server, such as an instance of SQL Server Express, to which only Audit Administrators or Audit Readers have access. By using a separate instance of the Database Engine for reporting, you can help prevent unauthorized users from obtaining access to the audit record. You can offer additional protection against unauthorized access by encrypting the folder in which the audit file is stored by using Windows BitLocker Drive Encryption or Windows Encrypting File System. For more information about the audit records that are written to the target, see SQL Server Audit Records. Overview of Using SQL Server Audit You can use SQL Server Management Studio or Transact-SQL to define an audit. After the audit is created and enabled, the target will receive entries. You can read the Windows event logs by using the Event Viewer utility in Windows. For file targets, you can use either the Log File Viewer in SQL Server Management Studio or the fn_get_audit_file function to read the target file. The general process for creating and using an audit is as follows. 1. Create an audit and define the target. 2. Create either a server audit specification or database audit specification that maps to the audit. Enable the audit specification. 3. Enable the audit. 4. Read the audit events by using the Windows Event Viewer, Log File Viewer, or the fn_get_audit_file function. For more information, see Create a Server Audit and Server Audit Specification and Create a Server Audit and Database Audit Specification. Considerations In the case of a failure during audit initiation, the server will not start. In this case, the server can be started by using the –f option at the command line. When an audit failure causes the server to shut down or not to start because ON_FAILURE=SHUTDOWN is specified for the audit, the MSG_AUDIT_FORCED_SHUTDOWN event will be written to the log. Because the shutdown will occur on the first encounter of this setting, the event will be written one time. This event is written after the failure message for the audit causing the shutdown. An administrator can bypass audit-induced shutdowns by starting SQL Server in Single User mode using the –m flag. If you start in Single User mode, you will downgrade any audit where ON_FAILURE=SHUTDOWN is specified to run in that session as ON_FAILURE=CONTINUE. When SQL Server is started by using the –m flag, the MSG_AUDIT_SHUTDOWN_BYPASSED message will be written to the error log. For more information about service startup options, see Database Engine Service Startup Options. Attaching a Database with an Audit Defined Attaching a database that has an audit specification and specifies a GUID that does not exist on the server will cause an orphaned audit specification. Because an audit with a matching GUID does not exist on the server instance, no audit events will be recorded. To correct this situation, use the ALTER DATABASE AUDIT SPECIFICATION command to connect the orphaned audit specification to an existing server audit. Or, use the CREATE SERVER AUDIT command to create a new server audit with the specified GUID. You can attach a database that has an audit specification defined on it to another edition of SQL Server that does not support SQL Server audit, such as SQL Server Express but it will not record audit events. Database Mirroring and SQL Server Audit A database that has a database audit specification defined and that uses database mirroring will include the database audit specification. To work correctly on the mirrored SQL instance, the following items must be configured: The mirror server must have an audit with the same GUID to enable the database audit specification to write audit records. This can be configured by using the command CREATE AUDIT WITH GUID=<GUID from source Server Audit>. For binary file targets, the mirror server service account must have appropriate permissions to the location where the audit trail is being written. For Windows event log targets, the security policy on the computer where the mirror server is located must allow for service account access to the security or application event log. Auditing Administrators Members of the sysadmin fixed server role are identified as the dbo user in each database. To audit actions of the administrators, audit the actions of the dbo user. Creating and Managing Audits with Transact-SQL You can use DDL statements, dynamic management views and functions, and catalog views to implement all aspects of SQL Server Audit. Data Definition Language Statements You can use the following DDL statements to create, alter, and drop audit specifications: ALTER AUTHORIZATION CREATE SERVER AUDIT ALTER DATABASE AUDIT SPECIFICATION CREATE SERVER AUDIT SPECIFICATION ALTER SERVER AUDIT DROP DATABASE AUDIT SPECIFICATION ALTER SERVER AUDIT SPECIFICATION DROP SERVER AUDIT CREATE DATABASE AUDIT SPECIFICATION DROP SERVER AUDIT SPECIFICATION Dynamic Views and Functions The following table lists the dynamic views and function that you can use for SQL Server Auditing. DYNAMIC VIEWS AND FUNCTIONS DESCRIPTION sys.dm_audit_actions Returns a row for every audit action that can be reported in the audit log and every audit action group that can be configured as part of SQL Server Audit. DYNAMIC VIEWS AND FUNCTIONS DESCRIPTION sys.dm_server_audit_status Provides information about the current state of the audit. sys.dm_audit_class_type_map Returns a table that maps the class_type field in the audit log to the class_desc field in sys.dm_audit_actions. fn_get_audit_file Returns information from an audit file created by a server audit. Catalog Views The following table lists the catalog views that you can use for SQL Server auditing. CATALOG VIEWS DESCRIPTION sys.database_ audit_specifications Contains information about the database audit specifications in a SQL Server audit on a server instance. sys.database_audit_specification_details Contains information about the database audit specifications in a SQL Server audit on a server instance for all databases. sys.server_audits Contains one row for each SQL Server audit in a server instance. sys.server_audit_specifications Contains information about the server audit specifications in a SQL Server audit on a server instance. sys.server_audit_specifications_details Contains information about the server audit specification details (actions) in a SQL Server audit on a server instance. sys.server_file_audits Contains stores extended information about the file audit type in a SQL Server audit on a server instance. Permissions Each feature and command for SQL Server Audit has individual permission requirements. To create, alter, or drop a Server Audit or Server Audit Specification, server principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. To create, alter, or drop a Database Audit Specification, database principals require the ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission on the database. In addition, principals must have permission to connect to the database, or ALTER ANY SERVER AUDIT or CONTROL SERVER permissions. The VIEW ANY DEFINITION permission provides access to view the server level audit views and VIEW DEFINITION provides access to view the database level audit views. Denial of these permissions, overrides the ability to view the catalog views, even if the principal has the ALTER ANY SERVER AUDIT or ALTER ANY DATABASE AUDIT permissions. For more information about how to grant rights and permissions, see GRANT (Transact-SQL). Cau t i on Principals in the sysadmin role can tamper with any audit component and those in the db_owner role can tamper with audit specifications in a database. SQL Server Audit will validate that a logon that creates or alters an audit specification has at least the ALTER ANY DATABASE AUDIT permission. However, it does no validation when you attach a database. You should assume all Database Audit Specifications are only as trustworthy as those principals in the sysadmin or db_owner role. Related Tasks Create a Server Audit and Server Audit Specification Create a Server Audit and Database Audit Specification View a SQL Server Audit Log Write SQL Server Audit Events to the Security Log Topics Closely Related to Auditing Server Properties (Security Page) Explains how to turn on login auditing for SQL Server. The audit records are stored in the Windows application log. c2 audit mode Server Configuration Option Explains the C2 security compliance auditing mode in SQL Server. Security Audit Event Category (SQL Server Profiler) Explains the audit events you can use in SQL Server Profiler. For more information, see SQL Server Profiler. SQL Trace Explains how SQL Trace can be used from within your own applications to create traces manually, instead of using SQL Server Profiler. DDL Triggers Explains how you can use Data Definition Language (DDL) triggers to track changes to your databases. Microsoft TechNet: SQL Server TechCenter: SQL Server 2005 Security and Protection Provides up-to-date information about SQL Server security. See Also SQL Server Audit Action Groups and Actions SQL Server Audit Records SQL Server Audit Action Groups and Actions 3/24/2017 • 15 min to read • Edit Online The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. For more information, see SQL Server Audit (Database Engine). SQL Server audits consist of zero or more audit action items. These audit action items can be either a group of actions, such as Server_Object_Change_Group, or individual actions such as SELECT operations on a table. NOTE Server_Object_Change_Group includes CREATE, ALTER, and DROP for any server object (Database or Endpoint). Audits can have the following categories of actions: Server-level. These actions include server operations, such as management changes and logon and logoff operations. Database-level. These actions encompass data manipulation languages (DML) and data definition language (DDL) operations. Audit-level. These actions include actions in the auditing process. Some actions performed on SQL Server auditing components are intrinsically audited in a specific audit, and in these cases audit events occur automatically because the event occurred on the parent object. The following actions are intrinsically audited: Server Audit State Change (setting State to ON or OFF) The following events are not intrinsically audited: CREATE SERVER AUDIT SPECIFICATION ALTER SERVER AUDIT SPECIFICATION DROP SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION ALTER DATABASE AUDIT SPECIFICATION DROP DATABASE AUDIT SPECIFICATION All audits are disabled when initially created. Server-Level Audit Action Groups Server-level audit action groups are actions similar to SQL Server security audit event classes. For more information, see SQL Server Event Class Reference. The following table describes the server-level audit action groups and provides the equivalent SQL Server Event Class where applicable. ACTION GROUP NAME DESCRIPTION APPLICATION_ROLE_CHANGE_PASSWORD_GROUP This event is raised whenever a password is changed for an application role. Equivalent to the Audit App Role Change Password Event Class. AUDIT_CHANGE_GROUP This event is raised whenever any audit is created, modified or deleted. This event is raised whenever any audit specification is created, modified, or deleted. Any change to an audit is audited in that audit. Equivalent to the Audit Change Audit Event Class. BACKUP_RESTORE_GROUP This event is raised whenever a backup or restore command is issued. Equivalent to the Audit Backup and Restore Event Class. BROKER_LOGIN_GROUP This event is raised to report audit messages related to Service Broker transport security. Equivalent to the Audit Broker Login Event Class. DATABASE_CHANGE_GROUP This event is raised when a database is created, altered, or dropped. This event is raised whenever any database is created, altered or dropped. Equivalent to the Audit Database Management Event Class. DATABASE_LOGOUT_GROUP This event is raised when a contained database user logs out of a database. Equivalent to the Audit Database Logout Event Class. DATABASE_MIRRORING_LOGIN_GROUP This event is raised to report audit messages related to database mirroring transport security. Equivalent to the Audit Database Mirroring Login Event Class. DATABASE_OBJECT_ACCESS_GROUP This event is raised whenever database objects such as message type, assembly, contract are accessed. This event is raised for any access to any database. Note: This could potentially lead to large audit records. Equivalent to the Audit Database Object Access Event Class. DATABASE_OBJECT_CHANGE_GROUP This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. This event is raised whenever any database object is created, altered or dropped. Note: This could lead to very large quantities of audit records. Equivalent to the Audit Database Object Management Event Class. DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP This event is raised when a change of owner for objects within database scope. This event is raised for any object ownership change in any database on the server. Equivalent to the Audit Database Object Take Ownership Event Class. DATABASE_OBJECT_PERMISSION_CHANGE_GROUP This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. This event is raised for any object permission change for any database on the server. Equivalent to the Audit Database Object GDR Event Class. ACTION GROUP NAME DESCRIPTION DATABASE_OPERATION_GROUP This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. This event is raised on any database operation on any database. Equivalent to the Audit Database Operation Event Class. DATABASE_OWNERSHIP_CHANGE_GROUP This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. This event is raised for any database ownership change on any database on the server. Equivalent to the Audit Change Database Owner Event Class. DATABASE_PERMISSION_CHANGE_GROUP This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any principal in SQL Server (This applies to database-only events, such as granting permissions on a database). This event is raised for any database permission change (GDR) for any database in the server. Equivalent to the Audit Database Scope GDR Event Class. DATABASE_PRINCIPAL_CHANGE_GROUP This event is raised when principals, such as users, are created, altered, or dropped from a database. Equivalent to the Audit Database Principal Management Event Class. (Also equivalent to the Audit Add DB Principal Event Class, which occurs on the deprecated sp_grantdbaccess, sp_revokedbaccess, sp_addPrincipal, and sp_dropPrincipal stored procedures.) This event is raised whenever a database role is added to or removed by using the sp_addrole, sp_droprole stored procedures. This event is raised whenever any database principals are created, altered, or dropped from any database. Equivalent to the Audit Add Role Event Class. DATABASE_PRINCIPAL_IMPERSONATION_GROUP This event is raised when there is an impersonation operation in the database scope such as EXECUTE AS <principal> or SETPRINCIPAL. This event is raised for impersonations done in any database. Equivalent to the Audit Database Principal Impersonation Event Class. DATABASE_ROLE_MEMBER_CHANGE_GROUP This event is raised whenever a login is added to or removed from a database role. This event class is raised for the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures. This event is raised on any Database role member change in any database. Equivalent to the Audit Add Member to DB Role Event Class. DBCC_GROUP This event is raised whenever a principal issues any DBCC command. Equivalent to the Audit DBCC Event Class. FAILED_DATABASE_AUTHENTICATION_GROUP Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class. ACTION GROUP NAME DESCRIPTION FAILED_LOGIN_GROUP Indicates that a principal tried to log on to SQL Server and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class. FULLTEXT_GROUP Indicates fulltext event occurred. Equivalent to the Audit Fulltext Event Class. LOGIN_CHANGE_PASSWORD_GROUP This event is raised whenever a login password is changed by way of ALTER LOGIN statement or sp_password stored procedure. Equivalent to the Audit Login Change Password Event Class. LOGOUT_GROUP Indicates that a principal has logged out of SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Logout Event Class. SCHEMA_OBJECT_ACCESS_GROUP This event is raised whenever an object permission has been used in the schema. Equivalent to the Audit Schema Object Access Event Class. SCHEMA_OBJECT_CHANGE_GROUP This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. Equivalent to the Audit Schema Object Management Event Class. This event is raised on schema objects. Equivalent to the Audit Object Derived Permission Event Class. This event is raised whenever any schema of any database changes. Equivalent to the Audit Statement Permission Event Class. SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP This event is raised when the permissions to change the owner of schema object (such as a table, procedure, or function) is checked. This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. This event is raised for any schema ownership change for any database on the server. Equivalent to the Audit Schema Object Take Ownership Event Class. SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP This event is raised whenever a grant, deny, revoke is performed against a schema object. Equivalent to the Audit Schema Object GDR Event Class. SERVER_OBJECT_CHANGE_GROUP This event is raised for CREATE, ALTER, or DROP operations on server objects. Equivalent to the Audit Server Object Management Event Class. SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP This event is raised when the owner is changed for objects in server scope. Equivalent to the Audit Server Object Take Ownership Event Class. SERVER_OBJECT_PERMISSION_CHANGE_GROUP This event is raised whenever a GRANT, REVOKE, or DENY is issued for a server object permission by any principal in SQL Server. Equivalent to the Audit Server Object GDR Event Class. ACTION GROUP NAME DESCRIPTION SERVER_OPERATION_GROUP This event is raised when Security Audit operations such as altering settings, resources, external access, or authorization are used. Equivalent to the Audit Server Operation Event Class. SERVER_PERMISSION_CHANGE_GROUP This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope, such as creating a login. Equivalent to the Audit Server Scope GDR Event Class. SERVER_PRINCIPAL_CHANGE_GROUP This event is raised when server principals are created, altered, or dropped. Equivalent to the Audit Server Principal Management Event Class. This event is raised when a principal issues the sp_defaultdb or sp_defaultlanguage stored procedures or ALTER LOGIN statements. Equivalent to the Audit Addlogin Event Class. This event is raised on the sp_addlogin and sp_droplogin stored procedures. Also equivalent to the Audit Login Change Property Event Class. This event is raised for the sp_grantlogin or sp_revokelogin stored procedures. Equivalent to the Audit Login GDR Event Class. SERVER_PRINCIPAL_IMPERSONATION_GROUP This event is raised when there is an impersonation within server scope, such as EXECUTE AS <login>. Equivalent to the Audit Server Principal Impersonation Event Class. SERVER_ROLE_MEMBER_CHANGE_GROUP This event is raised whenever a login is added or removed from a fixed server role. This event is raised for the sp_addsrvrolemember and sp_dropsrvrolemember stored procedures. Equivalent to the Audit Add Login to Server Role Event Class. SERVER_STATE_CHANGE_GROUP This event is raised when the SQL Server service state is modified. Equivalent to the Audit Server Starts and Stops Event Class. SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP Indicates that a principal successfully logged in to a contained database. Equivalent to the Audit Successful Database Authentication Event Class. SUCCESSFUL_LOGIN_GROUP Indicates that a principal has successfully logged in to SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Event Class. TRACE_CHANGE_GROUP This event is raised for all statements that check for the ALTER TRACE permission. Equivalent to the Audit Server Alter Trace Event Class. ACTION GROUP NAME DESCRIPTION TRANSACTION_GROUP This event is raised for BEGIN TRANSACTION, ROLLBACK TRANSACTION, and COMMIT TRANSACTION operations, both for explicit calls to those statements and implicit transaction operations. This event is also raised for UNDO operations for individual statements caused by the rollback of a transaction. USER_CHANGE_PASSWORD_GROUP This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement. USER_DEFINED_AUDIT_GROUP This group monitors events raised by using sp_audit_write (Transact-SQL). Typically triggers or stored procedures include calls to sp_audit_write to enable auditing of important events. Considerations Server-level action groups cover actions across a SQL Server instance. For example, any schema object access check in any database is recorded if the appropriate action group is added to a server audit specification. In a database audit specification, only schema object accesses in that database are recorded. Server-level actions do not allow for detailed filtering on database-level actions. A database-level audit, such as audit of SELECT actions on the Customers table for logins in the Employee group is required to implement detailed action filtering. Do not include server-scoped objects, such as the system views, in a user database audit specification. Database-Level Audit Action Groups Database-Level Audit Action Groups are actions similar to SQL Server Security Audit Event classes. For more information about event classes, see SQL Server Event Class Reference. The following table describes the database-level audit action groups and provides their equivalent SQL Server Event Class where applicable. ACTION GROUP NAME DESCRIPTION APPLICATION_ROLE_CHANGE_PASSWORD_GROUP This event is raised whenever a password is changed for an application role. Equivalent to the Audit App Role Change Password Event Class. AUDIT_CHANGE_GROUP This event is raised whenever any audit is created, modified or deleted. This event is raised whenever any audit specification is created, modified, or deleted. Any change to an audit is audited in that audit. Equivalent to the Audit Change Audit Event Class. BACKUP_RESTORE_GROUP This event is raised whenever a backup or restore command is issued. Equivalent to the Audit Backup and Restore Event Class. DATABASE_CHANGE_GROUP This event is raised when a database is created, altered, or dropped. Equivalent to the Audit Database Management Event Class. ACTION GROUP NAME DESCRIPTION DATABASE_LOGOUT_GROUP This event is raised when a contained database user logs out of a database. Equivalent to the Audit Backup and Restore Event Class. DATABASE_OBJECT_ACCESS_GROUP This event is raised whenever database objects such as certificates and asymmetric keys are accessed. Equivalent to the Audit Database Object Access Event Class. DATABASE_OBJECT_CHANGE_GROUP This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. Equivalent to the Audit Database Object Management Event Class. DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP This event is raised when a change of owner for objects within database scope occurs. Equivalent to the Audit Database Object Take Ownership Event Class. DATABASE_OBJECT_PERMISSION_CHANGE_GROUP This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. Equivalent to the Audit Database Object GDR Event Class. DATABASE_OPERATION_GROUP This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. Equivalent to the Audit Database Operation Event Class. DATABASE_OWNERSHIP_CHANGE_GROUP This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. Equivalent to the Audit Change Database Owner Event Class. DATABASE_PERMISSION_CHANGE_GROUP This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any user in SQL Server for database-only events such as granting permissions on a database. Equivalent to the Audit Database Scope GDR Event Class. DATABASE_PRINCIPAL_CHANGE_GROUP This event is raised when principals, such as users, are created, altered, or dropped from a database. Equivalent to the Audit Database Principal Management Event Class. Also equivalent to the Audit Add DB User Event Class, which occurs on deprecated sp_grantdbaccess, sp_revokedbaccess, sp_adduser, and sp_dropuser stored procedures. This event is raised whenever a database role is added to or removed using deprecated sp_addrole and sp_droprole stored procedures. Equivalent to the Audit Add Role Event Class. DATABASE_PRINCIPAL_IMPERSONATION_GROUP This event is raised when there is an impersonation within database scope such as EXECUTE AS <user>. Equivalent to the Audit Database Principal Impersonation Event Class. ACTION GROUP NAME DESCRIPTION DATABASE_ROLE_MEMBER_CHANGE_GROUP This event is raised whenever a login is added to or removed from a database role. This event class is used with the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures.Equivalent to the Audit Add Member to DB Role Event Class DBCC_GROUP This event is raised whenever a principal issues any DBCC command. Equivalent to the Audit DBCC Event Class. FAILED_DATABASE_AUTHENTICATION_GROUP Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. This event is raised. SCHEMA_OBJECT_ACCESS_GROUP This event is raised whenever an object permission has been used in the schema. Equivalent to the Audit Schema Object Access Event Class. SCHEMA_OBJECT_CHANGE_GROUP This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. Equivalent to the Audit Schema Object Management Event Class. This event is raised on schema objects. Equivalent to the Audit Object Derived Permission Event Class. Also equivalent to the Audit Statement Permission Event Class. SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP This event is raised when the permissions to change the owner of schema object such as a table, procedure, or function is checked. This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. Equivalent to the Audit Schema Object Take Ownership Event Class. SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP This event is raised whenever a grant, deny, or revoke is issued for a schema object. Equivalent to the Audit Schema Object GDR Event Class. SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP Indicates that a principal successfully logged in to a contained database. Equivalent to the Audit Successful Database Authentication Event Class. USER_CHANGE_PASSWORD_GROUP This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement. USER_DEFINED_AUDIT_GROUP This group monitors events raised by using sp_audit_write (Transact-SQL). Database-Level Audit Actions Database-level actions support the auditing of specific actions directly on database schema and schema objects, such as Tables, Views, Stored Procedures, Functions, Extended Stored Procedures, Queues, Synonyms. Types, XML Schema Collection, Database, and Schema are not audited. The audit of schema objects may be configured on Schema and Database, which means that events on all schema objects contained by the specified schema or database will be audited. The following table describes database-level audit actions. ACTION DESCRIPTION SELECT This event is raised whenever a SELECT is issued. UPDATE This event is raised whenever an UPDATE is issued. INSERT This event is raised whenever an INSERT is issued. DELETE This event is raised whenever a DELETE is issued. EXECUTE This event is raised whenever an EXECUTE is issued. RECEIVE This event is raised whenever a RECEIVE is issued. REFERENCES This event is raised whenever a REFERENCES permission is checked. Considerations Database-level audit actions do not apply to Columns. When the query processor parameterizes the query, the parameter can appear in the audit event log instead of the column values of the query. RPC statements are not logged. Audit-Level Audit Action Groups You can also audit the actions in the auditing process. This can be in the server scope or the database scope. In the database scope, it only occurs for database audit specifications. The following table describes audit-level audit action groups. ACTION GROUP NAME DESCRIPTION AUDIT_ CHANGE_GROUP This event is raised whenever one of the following commands are issued: CREATE SERVER AUDIT ALTER SERVER AUDIT DROP SERVER AUDIT CREATE SERVER AUDIT SPECIFICATION ALTER SERVER AUDIT SPECIFICATION DROP SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION ALTER DATABASE AUDIT SPECIFICATION DROP DATABASE AUDIT SPECIFICATION Related Content Create a Server Audit and Server Audit Specification Create a Server Audit and Database Audit Specification CREATE SERVER AUDIT (Transact-SQL) ALTER SERVER AUDIT (Transact-SQL) DROP SERVER AUDIT (Transact-SQL) CREATE SERVER AUDIT SPECIFICATION (Transact-SQL) ALTER SERVER AUDIT SPECIFICATION (Transact-SQL) DROP SERVER AUDIT SPECIFICATION (Transact-SQL) CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL) DROP DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER AUTHORIZATION (Transact-SQL) sys.fn_get_audit_file (Transact-SQL) sys.server_audits (Transact-SQL) sys.server_file_audits (Transact-SQL) sys.server_audit_specifications (Transact-SQL) sys.server_audit_specification_details (Transact-SQL) sys.database_audit_specifications (Transact-SQL) sys.database_audit_specification_details (Transact-SQL) sys.dm_server_audit_status (Transact-SQL) sys.dm_audit_actions (Transact-SQL) sys.dm_audit_class_type_map (Transact-SQL) SQL Server Audit Records 3/24/2017 • 3 min to read • Edit Online The SQL Server Audit feature enables you to audit server-level and database-level groups of events and events. For more information, see SQL Server Audit (Database Engine). SQL Server. Audits consist of zero or more audit action items, which are recorded to an audit target. The audit target can be a binary file, the Windows Application event log or the Windows Security event log. The records sent to the target can contain the elements described in the following table. COLUMN NAME DESCRIPTION TYPE ALWAYS AVAILABLE event_time Date/time when the auditable action is fired. datetime2 Yes sequence_no Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. int Yes action_id ID of the action varchar(4) Yes Tip: To use action_id as a predicate it must be converted from a character string to a numeric value. For more information, see Filter SQL Server Audit on action_id / class_type predicate. succeeded Indicates if the action that triggered the event succeeded bit – 1 = Success, 0 = Fail Yes permission_bitmask When applicable, shows the permissions that were granted, denied, or revoked bigint No is_column_permission Flag indicating a column level permission bit – 1 = True, 0 = False No session_id ID of the session on which the event occurred. int Yes server_principal_id ID of the login context that the action is performed in. int Yes database_principal_id ID of the database user context that the action is performed in. int No COLUMN NAME DESCRIPTION TYPE ALWAYS AVAILABLE object_ id The primary ID of the entity on which the audit occurred. This includes: int No server objects databases database objects schema objects target_server_principal_id Server principal that the auditable action applies to. int Yes target_database_principal _id Database principal that the auditable action applies to. int No class_type Type of auditable entity that the audit occurs on. varchar(2) Yes session_server_principal_n ame Server principal for the session. sysname Yes server_principal_name Current login. sysname Yes server_principal_sid Current login SID. varbinary Yes database_principal_name Current user. sysname No target_server_principal_na me Target login of the action. sysname No target_server_principal_si d SID of the target login. varbinary No target_database_principal _name Target user of the action. sysname No server_instance_name Name of the server instance where the audit occurred. Uses the standard machine\instance format. nvarchar(120) Yes database_name The database context in which the action occurred. sysname No schema_name The schema context in which the action occurred. sysname No COLUMN NAME DESCRIPTION TYPE ALWAYS AVAILABLE object_name The name of the entity on which the audit occurred. This includes: sysname No server objects databases database objects schema objects TSQL statement (if any) statement TSQL statement (if any) nvarchar(4000) No additional_information Any additional information about the event, stored as XML. nvarchar(4000) No Remarks Some actions do not populate a column's value because it might be non-applicable to the action. SQL Server Audit stores 4000 characters of data for character fields in an audit record. When the additional_information and statement values returned from an auditable action return more than 4000 characters, the sequence_no column is used to write multiple records into the audit report for a single audit action to record this data. The process is as follows: The statement column is divided into 4000 characters. SQL Server Audit writes as the first row for the audit record with the partial data. All the other fields are duplicated in each row. The sequence_no value is incremented. This process is repeated until all the data is recorded. You can connect the data by reading the rows sequentially using the sequence_no value, and the event_Time, action_id and session_id columns to identify the action. Related Content CREATE SERVER AUDIT (Transact-SQL) ALTER SERVER AUDIT (Transact-SQL) DROP SERVER AUDIT (Transact-SQL) CREATE SERVER AUDIT SPECIFICATION (Transact-SQL) ALTER SERVER AUDIT SPECIFICATION (Transact-SQL) DROP SERVER AUDIT SPECIFICATION (Transact-SQL) CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL) DROP DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER AUTHORIZATION (Transact-SQL) sys.fn_get_audit_file (Transact-SQL) sys.server_audits (Transact-SQL) sys.server_file_audits (Transact-SQL) sys.server_audit_specifications (Transact-SQL) sys.server_audit_specification_details (Transact-SQL) sys.database_audit_specifications (Transact-SQL) sys.database_audit_specification_details (Transact-SQL) sys.dm_server_audit_status (Transact-SQL) sys.dm_audit_actions (Transact-SQL) sys.dm_audit_class_type_map (Transact-SQL) Create a Server Audit and Server Audit Specification 3/24/2017 • 6 min to read • Edit Online This topic describes how to create a server audit and server audit specification in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL. Auditing an instance of SQL Server or a SQL Server database involves tracking and logging events that occur on the system. The SQL Server Audit object collects a single instance of server- or database-level actions and groups of actions to monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server instance. The Server Audit Specification object belongs to an audit. You can create one server audit specification per audit, because both are created at the SQL Server instance scope. For more information, see SQL Server Audit (Database Engine). In This Topic Before you begin: Limitations and Restrictions Security To create a server audit and server audit specification, using: SQL Server Management Studio Transact-SQL Before You Begin Limitations and Restrictions An audit must exist before creating a server audit specification for it. When a server audit specification is created, it is in a disabled state. The CREATE SERVER AUDIT statement is in a transaction's scope. If the transaction is rolled back, the statement is also rolled back. Security Permissions To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. Users with the ALTER ANY SERVER AUDIT permission can create server audit specifications and bind them to any audit. After a server audit specification is created, it can be viewed by principals with the CONTROL SERVER or ALTER ANY SERVER AUDIT permissions, the sysadmin account, or principals having explicit access to the audit. Using SQL Server Management Studio To create a server audit 1. In Object Explorer, expand the Security folder. 2. Right-click the Audits folder and select New Audit…. The following options are available on the General page of the Create Audit dialog box. Audit name The name of the audit. This is generated automatically when you create a new audit but is editable. Queue delay (in milliseconds) Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. A value of 0 indicates synchronous delivery. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647 (2,147,483.647 seconds or 24 days, 20 hours, 31 minutes, 23.647 seconds). On Audit Log Failure: Continue SQL Server operations continue. Audit records are not retained. The audit continues to attempt to log events and will resume if the failure condition is resolved. Selecting the Continue option can allow unaudited activity which could violate your security policies. Select this option when continuing operation of the Database Engine is more important than maintaining a complete audit. This is the default selection. Shut down server Forces a server shut down when the server instance writing to the target cannot write data to the audit target. The login issuing this must have the SHUTDOWN permission. If the logon does not have this permission, this function will fail and an error message will be raised. No audited events occur. Select this option when an audit failure could compromise the security or integrity of the system. Fail operation In cases where the SQL Server Audit cannot write to the audit log this option causes database actions to fail if they would otherwise cause audited events. No audited events occur. Actions which do not cause audited events can continue. The audit continues to attempt to log events and will resume if the failure condition is resolved. Select this option when maintaining a complete audit is more important than full access to the Database Engine. IMPORTANT When the audit is in a failed state, the Dedicated Administrator Connection can continue to perform audited events. Audit destination list Specifies the target for auditing data. The available options are a binary file, the Windows Application log, or the Windows Security log. SQL Server cannot write to the Windows Security log without configuring additional settings in Windows. For more information, see Write SQL Server Audit Events to the Security Log. File path Specifies the location of the folder where audit data is written when the Audit destination is a file. Ellipsis (…) Opens the Locate Folder –server_name dialog box to specify a file path or create a folder where the audit file is written. Audit File Maximum Limit: Maximum rollover files Specifies that, when the maximum number of audit files is reached, the oldest audit files are overwritten by new file content. Maximum files Specifies that, when the maximum number of audit files is reached, any action that causes additional audit events to be generated will fail with an error. Unlimited check box When the Unlimited check box under Maximum rollover files is selected, there is no limit imposed on the number of audit files that will be created. The Unlimited check box is selected by default and applies to both the Maximum rollover files and Maximum files selections. Number of files box Specifies the number of audit files to be created, up to 2,147,483,647. This option is only available if Unlimited is unchecked. Maximum file size Specifies the maximum size for an audit file in either megabytes (MB), gigabytes (GB), or terabytes (TB). You can specify between 1024 MB and 2,147,483,647 TB. Selecting the Unlimited check box does not place a limit on the size of the file. Specifying a value lower than 1024 MB will fail, returning an error. The Unlimited check box is selected by default. Reserve disk space check box Specifies that space is pre-allocated on the disk equal to the specified maximum file size. This setting can only be used if the Unlimited check box under Maximum file size is not selected. This check box is not selected by default. 3. Optionally, on the Filter page, enter a predicate, or WHERE clause, to the server audit to specify additional options not available from the General page. Enclose the predicate in parentheses; for example: (object_name = 'EmployeesTable') . 4. When you are finished selecting options, click OK. To create a server audit specification 1. In Object Explorer, click the plus sign to expand the Security folder. 2. Right-click the Server Audit Specifications folder and select New Server Audit Specification…. The following options are available on the Create Server Audit Specification dialog box. Name The name of the server audit specification. This is generated automatically when you create a new server audit specification but is editable. Audit The name of an existing server audit. Either type in the name of the audit or select it from the list. Audit Action Type Specifies the server-level audit action groups and audit actions to capture. For the list of server-level audit action groups and audit actions and a description of the events they contain, see SQL Server Audit Action Groups and Actions. Object Schema Displays the schema for the specified Object Name. Object Name The name of the object to audit. This is only available for audit actions; it does not apply to audit groups. Ellipsis (…) Opens the Select Objects dialog to browse for and select an available object, based on the specified Audit Action Type. Principal Name The account to filter the audit by for the object being audited. Ellipsis (…) Opens the Select Objects dialog to browse for and select an available object, based on the specified Object Name. 3. When you are finished, click OK. Using Transact-SQL To create a server audit 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute. -- Creates a server audit called "HIPPA_Audit" with a binary file as the target and no options. CREATE SERVER AUDIT HIPAA_Audit TO FILE ( FILEPATH ='\\SQLPROD_1\Audit\' ); To create a server audit specification 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute. /*Creates a server audit specification called "HIPPA_Audit_Specification" that audits failed logins for the SQL Server audit "HIPPA_Audit" created above. */ CREATE SERVER AUDIT SPECIFICATION HIPPA_Audit_Specification FOR SERVER AUDIT HIPPA_Audit ADD (FAILED_LOGIN_GROUP); GO -- Enables the audit. ALTER SERVER AUDIT HIPAA_Audit WITH (STATE = ON); GO For more information, see CREATE SERVER AUDIT (Transact-SQL) and CREATE SERVER AUDIT SPECIFICATION (Transact-SQL). Create a Server Audit and Database Audit Specification 3/24/2017 • 3 min to read • Edit Online This topic describes how to create a server audit and database audit specification in SQL Server 2016 by using SQL Server Management Studio or Transact-SQL. Auditing an instance of SQL Server or a SQL Server database involves tracking and logging events that occur on the system. The SQL Server Audit object collects a single instance of server- or database-level actions and groups of actions to monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server instance. The Database-Level Audit Specification object belongs to an audit. You can create one database audit specification per SQL Server database per audit. For more information, see SQL Server Audit (Database Engine). In This Topic Before you begin: Limitations and Restrictions Security To create a server audit and database audit specification, using: SQL Server Management Studio Transact-SQL Before You Begin Limitations and Restrictions Database audit specifications are non-securable objects that reside in a given database. When a database audit specification is created, it is in a disabled state. When you are creating or modifying a database audit specification in a user database, do not include audit actions on server-scope objects, such as the system views. If server-scoped objects are included, the audit will be created. However, the server-scoped objects will not be included, and no error will be returned. To audit server-scope objects, use a database audit specification in the master database. Database audit specifications reside in the database where they are created, with the exception of the tempdb system database. Security Permissions Users with the ALTER ANY DATABASE AUDIT permission can create database audit specifications and bind them to any audit. After a database audit specification is created, it can be viewed by principals with the CONTROL SERVER, ALTER ANY DATABASE AUDIT permissions, or the sysadmin account. Using SQL Server Management Studio To create a server audit 1. In Object Explorer, expand the Security folder. 2. Right-click the Audits folder and select New Audit…. For more information, see Create a Server Audit and Server Audit Specification. 3. When you are finished selecting options, click OK. To create a database-level audit specification 1. In Object Explorer, expand the database where you want to create an audit specification. 2. Expand the Security folder. 3. Right-click the Database Audit Specifications folder and select New Database Audit Specification…. The following options are available on the Create Database Audit Specification dialog box. Name The name of the database audit specification. This is generated automatically when you create a new server audit specification but is editable. Audit The name of an existing database audit. Either type in the name of the audit or select it from the list. Audit Action Type Specifies the database-level audit action groups and audit actions to capture. For the list of database-level audit action groups and audit actions and a description of the events they contain, see SQL Server Audit Action Groups and Actions. Object Schema Displays the schema for the specified Object Name. Object Name The name of the object to audit. This is only available for audit actions; it does not apply to audit groups. Ellipsis (…) Opens the Select Objects dialog to browse for and select an available object, based on the specified Audit Action Type. Principal Name The account to filter the audit by for the object being audited. Ellipsis (…) Opens the Select Objects dialog to browse for and select an available object, based on the specified Object Name. 4. When you are finished selecting option, click OK. Using Transact-SQL To create a server audit 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute. USE master ; GO -- Create the server audit. CREATE SERVER AUDIT Payrole_Security_Audit TO FILE ( FILEPATH = 'C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\DATA' ) ; GO -- Enable the server audit. ALTER SERVER AUDIT Payrole_Security_Audit WITH (STATE = ON) ; To create a database-level audit specification 1. In Object Explorer, connect to an instance of Database Engine. 2. On the Standard bar, click New Query. 3. Copy and paste the following example into the query window and click Execute. The example creates a database audit specification called Audit_Pay_Tables that audits SELECT and INSERT statements by the dbo user, for the HumanResources.EmployeePayHistory table based on the server audit defined above. USE AdventureWorks2012 ; GO -- Create the database audit specification. CREATE DATABASE AUDIT SPECIFICATION Audit_Pay_Tables FOR SERVER AUDIT Payrole_Security_Audit ADD (SELECT , INSERT ON HumanResources.EmployeePayHistory BY dbo ) WITH (STATE = ON) ; GO For more information, see CREATE SERVER AUDIT (Transact-SQL) and CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL). View a SQL Server Audit Log 3/24/2017 • 1 min to read • Edit Online This topic describes how to view a SQL Server audit log in SQL Server 2016 by using SQL Server Management Studio. In This Topic Before you begin: Security To view a SQL Server audit log, using: SQL Server Management Studio Before You Begin Security Permissions Requires the CONTROL SERVER permission. Using SQL Server Management Studio To view a SQL Server audit log 1. In Object Explorer, expand the Security folder. 2. Expand the Audits folder. 3. Right-click the audit log that you want to view and select View Audit Logs. This opens the Log File Viewer –server_name dialog box. For more information, see Log File Viewer F1 Help. 4. When finished, click Close. Microsoft recommends viewing the audit log by using the Log File Viewer. However, if you are creating an automated monitoring system, the information in the audit file can be read directly by using the sys.fn_get_audit_file (Transact-SQL) function. Reading the file directly returns data in a slightly different (unprocessed) format. See sys.fn_get_audit_file for more information. See Also SQL Server Audit (Database Engine) Write SQL Server Audit Events to the Security Log Write SQL Server Audit Events to the Security Log 3/24/2017 • 3 min to read • Edit Online In a high security environment, the Windows Security log is the appropriate location to write events that record object access. Other audit locations are supported but are more subject to tampering. There are two key requirements for writing SQL Server server audits to the Windows Security log: The audit object access setting must be configured to capture the events. The audit policy tool ( auditpol.exe ) exposes a variety of sub-policies settings in the audit object access category. To allow SQL Server to audit object access, configure the application generated setting. The account that the SQL Server service is running under must have the generate security audits permission to write to the Windows Security log. By default, the LOCAL SERVICE and the NETWORK SERVICE accounts have this permission. This step is not required if SQL Server is running under one of those accounts. The Windows audit policy can affect SQL Server auditing if it is configured to write to the Windows Security log, with the potential of losing events if the audit policy is incorrectly configured. Typically, the Windows Security log is set to overwrite the older events. This preserves the most recent events. However, if the Windows Security log is not set to overwrite older events, then if the Security log is full, the system will issue Windows event 1104 (Log is full). At that point: No further security events will be recorded SQL Server will not be able to detect that the system is not able to record the events in the Security log, resulting in the potential loss of audit events After the box administrator fixes the Security log, the logging behavior will return to normal. In This Topic Before you begin: Limitations and Restrictions Security To write SQL Server audit events to the Security Log: Configure the audit object access setting in Windows using auditpol Configure the audit object access setting in Windows using secpol Grant the generate security audits permission to an account using secpol Before You Begin Limitations and Restrictions Administrators of the SQL Server computer should understand that local settings for the Security log can be overwritten by a domain policy. In this case, the domain policy might overwrite the subcategory setting (auditpol /get /subcategory:"application generated"). This can affect SQL Server ability to log events without having any way to detect that the events that SQL Server is trying to audit are not going to be recorded. Security Permissions You must be a Windows administrator to configure these settings. To configure the audit object access setting in Windows using auditpol 1. Open a command prompt with administrative permissions. a. On the Start menu, point to All Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator. b. If the User Account Control dialog box opens, click Continue. 2. Execute the following statement to enable auditing from SQL Server. auditpol /set /subcategory:"application generated" /success:enable /failure:enable 3. Close the command prompt window. To grant the generate security audits permission to an account using secpol 1. For any Windows operating system, on the Start menu, click Run. 2. Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue. 3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click User Rights Assignment. 4. In the results pane, double-click Generate security audits. 5. On the Local Security Setting tab, click Add User or Group. 6. In the Select Users, Computers, or Groups dialog box, either type the name of the user account, such as domain1\user1 and then click OK, or click Advanced and search for the account. 7. Click OK. 8. Close the Security Policy tool. 9. Restart SQL Server to enable this setting. To configure the audit object access setting in Windows using secpol 1. If the operating system is earlier than Windows Vista or Windows Server 2008, on the Start menu, click Run. 2. Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue. 3. In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click Audit Policy. 4. In the results pane, double-click Audit object access. 5. On the Local Security Setting tab, in the Audit these attempts area, select both Success and Failure. 6. Click OK. 7. Close the Security Policy tool. See Also SQL Server Audit (Database Engine)