Server Audit Examples in SQL Server 2008
From SQLServerPedia
|
See Also: Main_Page - Transact SQL Code Library
IntroductionPrior to SQL Server 2008, auditing in SQL Server was done using a variety of tools and options especially looking at the application logs in windows and SQL Server error logs, using a combination of DDL Triggers like server and logon triggers and using SQL Trace. This makes centralizing auditing of SQL Server very tedious and complex task. Also, it requires significant technical knowledge for auditors to complete these tasks. This is a primer, 101 article for SQL Server Audit and shouldn't be considered as comprehensive work. Server Audit in SQL Server 2008SQL Server 2008 introduced new auditing capabilities to help centralize all auditing of the SQL Server instance. This new feature has many benefits compared to previous versions as the auditing capabilities are embedded into the Database Engine. Server Audit is built using the infrastructure built for Extended events, a high performance event monitoring mechanism. SQL ServerAudit has very little to no performance impact compared to previous editions. What's in Server Audit?There are 4 key components in SQL Server Audit. Server Audit, Server Audit Specification, Database Audit Specification and Target.
USE master GO CREATE SERVER AUDIT [Password_Audit] TO FILE ( FILEPATH = N'C:\' ,MAXSIZE = 10 MB ,MAX_ROLLOVER_FILES = 30 ,RESERVE_DISK_SPACE = OFF ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ) GO ALTER SERVER AUDIT [Password_Audit] WITH (STATE = ON) GO DROP SERVER AUDIT [Password_Audit] GO ALTER ANY SERVER AUDIT permission, part of CONTROL SERVER is required to use the above commands. Server Audit Specification: A Server Audit Specification is used to monitor several instance level audit actions and will be a part of the SERVER AUDIT. Server Audit Specification can be created and modified with the following commands.
CREATE SERVER AUDIT SPECIFICATION Password_Change_Specification
FOR SERVER AUDIT [Password_Audit]
ADD (LOGIN_CHANGE_PASSWORD_GROUP);
GO
ALTER SERVER AUDIT SPECIFICATION Password_Change_Specification WITH (STATE = ON) GO DROP SERVER AUDIT SPECIFICATION Password_Change_Specification GO ALTER ANY SERVER AUDIT permission, part of CONTROL SERVER is required to use the above commands. Database Audit Specification: A Database Audit Specification is used to monitor several database level audit actions and will be a part of the SERVER AUDIT. This allows to audit at a more granular level. Database Audit Specification can be created and modified with the following commands. USE AdventureWorks2008 GO CREATE DATABASE AUDIT SPECIFICATION Read_Sensitive_Data_Specification FOR SERVER AUDIT [ReadSensitive_Audit] ADD (SELECT ON HumanResources.EmployeePayHistory BY dbo) ); GO ALTER DATABASE AUDIT SPECIFICATION Read_Sensitive_Data_Specification WITH (STATE = ON) GO DROP DATABASE AUDIT SPECIFICATION Read_Sensitive_Data_Specification GO ALTER DATABASE SERVER SPECIFICATION permission, part of CONTROL DATABASE is required to use the above commands. Target: The audit data can be routed to a file, windows security event log or windows application event log. Server Audit ExamplesHow to read Audit datafn_get_audit_file canbe used to read data from the audit files. Below is an example of reading data from the ReadSensitive_Audit files. SELECT * FROM fn_get_audit_file( 'C:\ReadSensitive_Audit_*.sqlaudit', DEFAULT, DEFAULT ) Related Reading About Server AuditTo learn more about SQL Server Audits, here's a few tutorial links: Author Credits This wiki article is created by Sankar Reddy. Sankar is a Database Engineer and an involuntary DBA working for Funmobility, a mobile media and entertainment company where he works with high traffic OLTP systems and over 1 TB data warehouse. Sankar strongly believes in 'Every day is a school day!' and he's thankful for the vibrant SQL Server community. His online presences include:
|