October 17, 2006 at 7:47 am
Hi,
I have a sql server 2000 with some user databases. Someone has deleted one database. I have checked in sql logs, application logs and system logs. But I didnot get any information that who deleted the database. I just want to know the deleted database details like database size, who deleted and at what time he deleted?
Is there any possibility to findout the details? TIA
October 17, 2006 at 3:01 pm
Unless you were auditing for DROP DATABASE, I don't think there's a way to know who dropped it.
Auditing requirements on our data warehouse server require us to run a Profiler trace constantly to record events such as this. It doesn't prevent it from happening, but it allows us to get the "when" and "who" if it occurs.
Greg
Greg
October 18, 2006 at 12:33 am
Here is an article on turning on audit logs.
http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx#EPC
Greg,
Do you run your Profiler in the foreground? I am currently addressing an audit issue and is now evaluating the above docuementation on implementing audit logs. I am not going for the C2 logging as there is too much information and we do not have the resources to audit all the logs. I am considering using the server-side traces. However, I am not sure how secured can this trace be. Does the SQL administrator have full control of the log files and trace filters? The purpose of turning on the audit logs is to monitor the SQL administrator's activities. Anyone has a better idea on achieving this objective?
Joseph
October 18, 2006 at 9:34 am
We create and start the trace using T-SQL and the sp_trace stored procedures. This runs the trace without having the Profiler client running and allows us to customize the events and columns. The trace writes to a file which is backed up every day.
The SQL Administrators (DBAs) have full control over the filters and files. However, stopping or changing the trace would not go unnoticed. We do the auditing to comply with Federal agency data sharing rules and we don't want to jeopordize that.
Greg
Greg
October 19, 2006 at 1:50 am
We are currently exploring the use of sp_trace. Question I have is whether there is any possibility of the administrator manipulating the contents on the files?
Joseph
October 19, 2006 at 8:28 am
I suppose you could make the trace output file read-only, otherwise sure, the contents of the files could be changed. Who you gonna trust?
Greg
Greg
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply