Blog Post

SQL Server Audit: Getting Started

,

SQL Server has the ability to monitor both server and database level events via the SQL Server Audit feature.  Audited events can be written to the server application or security logs, or to a file where you specify the location (the most secure route).   SQL Server Audit is easy to set up, and requires at most three objects be created: an audit object, and a server and/or database audit specification object.

In this example, we’ll create a SQL Server Audit that monitors backup and restore activity for the instance (server level audit) and monitors the DDL statements on the AdventureWorks2008R2 database (database level audit).  Audit information will be stored in a file, which can be queried via Management Studio.

First, we’ll create the initial audit object.  Note that all of these steps can also be performed via the GUI, but scripting makes me feel more powerful.

USE master
GO
CREATE SERVER Audit KreulAudit
TO FILE (FILEPATH = 'C:\AdventureWorks2008R2_Database\Audit');
GO

Next, we need the server and database audit specifications.

USE master
GO
CREATE SERVER Audit SPECIFICATION KreulAudit_ServerSpec
FOR SERVER AUDIT KreulAudit
ADD(BACKUP_RESTORE_GROUP)
WITH (STATE = ON);
GO
USE AdventureWorks2008R2
GO
CREATE DATABASE AUDIT SPECIFICATION KreulAudit_DatabaseSpec
FOR SERVER AUDIT KreulAudit
ADD (SCHEMA_OBJECT_CHANGE_GROUP)
WITH (STATE=ON);
GO

Lastly, we enable the audit.

USE master
GO
ALTER SERVER Audit KreulAudit WITH (STATE = ON);
GO

After running a backup and dropping a view, we should now see some activity in our audit file.  The fn_get_audit_file function allows us to read the file right in Management Studio.

SELECT event_time, [statement] FROM 
sys.fn_get_audit_file('C:\AdventureWorks2008R2_Database\Audit\*', null, null);
GO

AuditSS

The audit successfully captured both events.  Note that the first record returned is just the header record indicating an audit session was started.  This occurred when we enabled the audit.

There are many different audit action groups in addition to the examples above, and they’re listed here.  There are quite a few that you’ll see listed both in the server and database group, but the key to remember is that the server audits are at an instance level, and database audits are at a database level.

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads