Post reply

Extended Events

  • April 7, 2014 at 5:16 am

    #292059

    Hi,

    As part of audit/compliance requirements, I need to capture DBA activities on various SQL Servers. Can Extended events satisfy this requirement? There are software such as Oracle Vault/Guardium that are supposed to do this, but I've never used these?

    Thanks

  • April 7, 2014 at 6:28 am

    #1703739

    Extended Events can be used to audit just about anything... BUT, if you have 'sa' privs on the server, you can turn off ex events. If you absolutely have to have some other auditing mechanism, you're going to have to track down a third party tool.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • April 7, 2014 at 6:40 am

    #1703744

    Check the list of extended events and see if it satisfies your requirements.

    ---------------------------------------------------
    "Thare are only 10 types of people in the world:
    Those who understand binary, and those who don't."

  • April 7, 2014 at 7:00 am

    #1703752

    Thanks for the reply. I guess it will have to be a third party since DBAs at my place have sysadmin rights and they can disable Extended events. The purpose is to collect the logs accurately without being tampered with!

  • April 7, 2014 at 7:48 am

    #1703781

    I think that no matter what you use, a DBA "could" get around it if they have SA.

    Jared
    CE - Microsoft

  • April 7, 2014 at 7:53 am

    #1703785

    Having looked around on the net, some of the 3rd party tools are supposed to do what I am looking for especially with all the compliance regulatory. You will be surprised that it will be like big brother watching!

  • April 7, 2014 at 9:39 am

    #1703850

    ApexSQL has an auditing/compliance product. Idera may have one too. But I think anything that is INSIDE SQL Server will probably be bypassable in some way by SA users.

    To truly capture access (especially read access) you have to deny remoting into the box and also buy a 3rd party network sniffer based auditing tool. See here for an option: http://www.whitesands.com/Home/. IIRC they are quite expensive but have some very interesting tooling.

    Best,
    Kevin G. Boles
    SQL Server Consultant
    SQL MVP 2007-2012
    TheSQLGuru on googles mail service

  • April 7, 2014 at 9:46 am

    #1703860

    While XE can provide you some of this info, the better approach is to set up a Server and Database audits (http://technet.microsoft.com/en-us/library/cc280386.aspx[/u]).

    And yes, a DBA with sysadmin can alter those things. But they are the DBA and you already trust them with the data. If you can't trust them to obey the audit rules, then you can't trust them with the data and they shouldn't be there.

    Besides the audit, you should be scraping the files (created from the audit) from the local server to a central repository that the DBA can't access.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply