August 24, 2021 at 9:50 am
https://www.sqlservercentral.com/forums/topic/with-sqlaudit-you-cannot-track-hostname-or-ip-address
"The host name is dependent on the connection string. If people leave this off, it's why you can't audit for it. You can use HOST_NAME to get this information if it's passed. You can probably, in most cases, I won't say all, get the IP address from sys.dm_exec_connections.
@Grant Frritchey - Is the above statement referring to SQL Audit or Extended event
@Grant Fritchey & All
Using SQL Audit I can audit only the relevant SQL Login activity (Like a select/insert etc..DML).When I audit there is Only 1 record in the result set.Also can I capture hostname and client app here as in extended events.
Extended events capture all information, but there are several records when I try audit a login.How I can filter everything and have only 1 record in the result set.(capture only the relevant select/DML) as in SQL audit.Any references can help.
August 24, 2021 at 1:26 pm
Why don't you ask this question in the original thread?
Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
August 24, 2021 at 2:15 pm
Sounds good to me but unless I am not responding with an answer to the original thread I wasn't sure if it would be appropriate to get into someone's thread with my own set of questions.
August 25, 2021 at 3:47 am
Why don't you ask this question in the original thread?
That's almost funny, Michael... how many times have we seen people say "start a new thread for a different question" even if it's a related question?
I'm with you that there's nothing wrong with asking a question on a related thread. Most folks that answer questions monitor for all questions and additional posts anyway.
Shifting gears to the question at hand... one fairly easy method is to change the server setting to capture all logins in the SQL Server error log. Some find that annoying because it can hide problems if you don't now how to filter or you don't now how to read the contents of a log file using a bit of unsupported but commonly used code. I agree that's a bit of a mess but it is fairly safe.
Another way is to make login triggers for the server. The spooky part there is that if you do it wrong, you won't be able to log into the server. Still, the correct methods are fairly well documented if you Google for them. I do recommend testing any solution on a "burner" instance before applying to a real server.
You can also buy software that will do all of this for you and take it out of reach of DBAs if you need audit information for potential court appearances or SEC guaranteed audits, etc.
--Jeff Moden
Change is inevitable... Change for the better is not.
August 25, 2021 at 11:17 am
@thanks Jeff..I can check the error log way but can I get references on how I can filter the all data but the login records into the .xel files. By that I mean...if a login runs a select ... my .xel should have ONLY 1 record displaying the relevant select details(like the .audit files do cleanly when opting for SQL database Audit/Server audit way)...As mentioned I have already captured the relevant data using extended events but there is a lot thats needs to be filtered and that is where I need directions. No triggers(not averse to it but no for now) and can't afford a 3rd party tool.
August 25, 2021 at 11:47 am
@Thanks Jeff..I can check the error log way but can I get references on how I can filter the all data but the login records into the .xel files. By that I mean...if a login runs a select ... my .xel should have ONLY 1 record displaying the relevant select details(like the .audit files do cleanly when opting for SQL database Audit/Server audit way)...As mentioned I have already captured the relevant data using extended events but there is a lot thats needs to be filtered and that is where I need directions. No triggers(not averse to it but no for now) and can't afford a 3rd party tool.
This is why I suggested that you post in the original thread. The folks who answered are very well versed in extended events and can probably give you better answers.
Jeff's answer was strictly about capturing logins, not the associated SQL statements.
As for filtering the extended events, you can add a WHERE clause to the event definition to filter. Also, if you pull the results into a table you can filter, painfully, by using LIKE, CHARINDEX, and so forth.
Michael L John
If you assassinate a DBA, would you pull a trigger?
To properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply