March 25, 2014 at 3:26 am
I am trying out the new SQL Audit functionality and have created a Login Failed audit using the FAILED_LOGIN_GROUP audit action type. I have given SQL Server service the Audit security privilege in secpol.msc so it can write to the security log, and restarted it. I am successfully getting login failures for Windows authentication attempts, but I am not getting anything in the Security Log for SQL accounts, although these do show up in the SQL Server error log.
Our audit gathering process scrapes the Security log, so would really like the standard login failures to go there. Is there way to do that?
March 25, 2014 at 7:45 am
As far as I am aware SQL will only write to the application log, its not possible to write to the security log.
MCITP SQL 2005, MCSA SQL 2012
March 26, 2014 at 3:46 am
The Windows Security Log is protected. Only specific Windows components can succeed in writing to it, regardless of what permissions you give to any of your code.
AFAIK the only way to get something written to the Audit log is to trigger an event that Windows audit routines respond to. What these routines then write is completely down to them, you cannot insert any of your own messaging. (Been there, shared the frustration, moved on and largely forgotten the fine details...)
I think you may have to settle to just writing to the Application Log.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
March 26, 2014 at 3:50 am
Hi Ed, thanks for the reply.
Yes, I've been doing some testing today on Windows Server 2012 R2 and SQL Server 2014 CTP2 (until RTM arrives next week) 🙂
Even though I grant the SeAuditPrivilege with secpol, the events don't go to the security log. Makes me wonder why the option is there. All working fine writing to the Application Log. I'll move on too... :w00t:
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply