March 14, 2022 at 9:18 am
Hello,
Following the implementation of alerts in the SQL agent to detect errors with severities ranging from 16 to 25, I just realized that I have problems with the SQL audit that are written in the security logs of Windows because I receive alerts 17 with the description "SQL Server Audit could not write to the security log.
I have checked in my log centralization tool that the majority of the events are coming back fine (99,99%) but some events are missing and I don't know why.
- I have configured the audit following the Microsoft documentation:
- the operating system is a Windows Server 2016 with a SQL Server 2019.
The alerts seem to be triggered during large loads, so I restricted the audited events to their minimum believing that the problem came from the mass of data that had to be written, but the problem still persists.
I'm not sure where to look anymore, so I'm writing my first post on this forum to see if anyone has encountered this problem before.
If you have any ideas, I'm interested.
March 14, 2022 at 3:02 pm
As a GUESS, I would say that since the problem occurs during busy times on the server, it is LIKELY contention on the log file. Too many things are writing to the file and some of them are failing. If you have the AV set to scan the log files, or any external tools set to scan them, it COULD be that one of those tools is locking the file and causing problems. BUT I am just guessing - I can't see your system or it's configuration or review any of your logs from here.
Now, it COULD also be something related to some specific error being written to the log. I would review the known missed errors and see if there is anything common on them (like specific error messages, specific users triggering the errors, etc).
Now, if ALL writes to the Windows security log are failing, then it is likely going to be permission related (but might not be).
The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply