We would like to audit only INSERT statements carried out by non-service accounts, so we have done the below.
The service accounts have been explicitly excluded at the server audit level. However, we are still seeing events being logged to the Windows Security Event Log for these principles!
How can we ensure events by these principles are excluded?
-- Create server audit.
CREATE SERVER AUDIT [My_Audit]
TO SECURITY_LOG
WITH
(
QUEUE_DELAY = 1000,
ON_FAILURE = CONTINUE
)
WHERE [server_principal_name] <> 'DOMAIN\myServiceAccount1'
AND [server_principal_name] <> 'DOMAIN\myServiceAccount2',
AND [server_principal_name] <> 'DOMAIN\myServiceAccount3';
GO
ALTER SERVER AUDIT [My_Audit] WITH (STATE = ON);
GO
-- Create database audit specification.
CREATE DATABASE AUDIT SPECIFICATION [My_Audit_INSERT]
FOR SERVER AUDIT [My_Audit]
ADD (INSERT ON SCHEMA::[dbo] BY [public])
WITH (STATE = ON);
GO
May 18, 2021 at 7:19 pm
I'd think your "AND" is a problem here, as an event doesn't have all 3.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply