In this blog I will be talking about Creating and Managing Audits in SQL Server. We will first look at what SQL Server audit is and why you should use it. After this we will be looking at where to configure and how to activate SQL server audit, server audit specifications and database level specifications. To finish, we will see how to access the collected data from the sql audit file.
What is auditing?
“Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine“, is the official definition as found on the Microsoft docs ( https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-2017 )
This makes Auditing an important feature in SQLServer (since SQLServer 2008) regarding security. It helps you log and understand database or server activity. SQL Server audit specifications can be set up at the server and the database level to track the activities in which you may be interested. Prior to SQL 2016 only the Enterprise, Developer and Evaluation supported this feature. Since 2016 standard edition also supports this feature (drinks).
Why should I use it? Data security these days is becoming more important each day. When using SQL Server audit you have a way to get an insight into discrepancies and anomalies that might indicate business concerns or suspected security violations like certain users trying to access data which they aren’t supposed to. Since it is a build-in feature you won’t need to spend extra company resources on a 3rth party application.
Configuring and activating SQL audit.
To configure and activate a SQL audit we must first know that there are 3 different objects that we can configure before activating SQL audit. We have the Audit itself, this can be found on server level in the security folder as seen on figure 1. We have the server level Audit specifications also seen on figure 1. And as 3th item we have the Database Level Audit specification, these can be found in the security folder on database level as seen in figure 2.
First we will be talking about Audits since that would be the first step in setting up SQL Server audits.
Figure 1 Figure 2
d) Audit destination. Here you define as what the audit will be stored. This can be as a separate file, windows security or windows application log.
e) File path. Here you define where the file will be stored. I created a separate audit map where I store my file.
f) Audit file maximum limit. With these options you configure how big the files can become, how many files there should be and if they will rollover.
2. Server Audit Specification. Here you control which server level events that need to be documented on the SQL audit log which you specify in the audit option as seen in figure 4 where I would log every event specified to the TestAudit. You can only have 1 of these on each Audit.
3. Database Audit Specification. Here like in point b you need to specify which audit to use and which events to log. Again only 1 on each audit so if you would like to audit several databases you will need to make several audits.
Getting information out of the audit log
The audit log (if using a binary file) can be done by going in the object explorer and right clicking the audit and selecting “view audit logs” this will give you figure 4 as new window. My log doesn’t really have much info at the moment but if you have configured some specific events these will be visible in this window. The box at the bottom will give you a very detailed description about the event that occurred.
Figure 4
Now we have seen how you can create and manage your SQL Server audit and how you can access the data that has been logged. Now you can go experiment with all the different events that can be captured in the Audit but watch out because one of the dangers would be that if you just find out of this feature you may be tempted to simply audit everything, this way you could check anything, right?
Of course you can do it like this but this will give a big performance impact, it is better to configure several distinct audits and swapping between these whenever you need a specific result this because the more events being audited, the less resources SQL Server will have available for other tasks.
Which events are best to log is or are more valuable is a topic for another day.
Thank you.
© 2023 Kohera
Crafted by
© 2022 Kohera
Crafted by
Cookie | Duration | Description |
---|---|---|
ARRAffinity | session | ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user. |
ARRAffinitySameSite | session | This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category. |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
pll_language | 1 year | Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way. |
Cookie | Duration | Description |
---|---|---|
_ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
_gat_gtag_UA_* | 1 minute | Google Analytics sets this cookie to store a unique user ID. |
_gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
ai_session | 30 minutes | This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
Cookie | Duration | Description |
---|---|---|
ai_user | 1 year | Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time. |
VISITOR_INFO1_LIVE | 5 months 27 days | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt-remote-device-id | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt.innertube::nextId | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
WFESessionId | session | No description available. |