Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

Data Management

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    backup bigdata book database denali functions gotcha how to howto indexing mongodb nosql performance sql sql advent 2012 sql friday sql server sql server 2000 sql server 2005 sql server 2008 sql server 2008 r2 sql server 2012 sql server denali sqlcop ssis ssms ssrs t-sql tip trick

    Authors

    Main Categories

    Search

    XML Feeds

    What is RSS?

    Google Ads

    « MySQL MyISAM and InnoDB Engine DifferencesSQLCop integration with Red Gate's SQL Test »
    0
    comments

    SQL Server Auditing: Looking Back

    by SQLArcher on Jan 09, 2012 in categories Database Administration, Microsoft SQL Server Admin
    Instapaper

    Over the past couple of weeks, we have looked at the new auditing feature introduced in SQL Server 2008. This post will finish up with the series and will cover the remaining subjects:

    1.SQL Server 2008 vs. SQL Server 2012,
    2.PBM - Last take on auditing your audits,
    3.The Auditing Repository.

    SQL Server 2008 vs. SQL Server 2012

    The new release of SQL Server is around the corner, and with it there are numerous enhancements to the various components as well as new features. The auditing component is no different. There are a total of 507 audit actions in SQL Server 2012 compared to the 454 in SQL Server 2008 R2. Some of the new actions are more specifically geared to the new SQL Server 2012 Database Containment Feature.

    In addition to this, it also introduces filtering to your audits. This is set up on your audit instead of the Server Audit Specification or Database Audit Specification. This will limited what is written to the audit file even more, however there will be the additional CPU overhead to pay for filtering the audits.

    Let's take a look how to set it up through the SSMS:

    First of all, create the audit as previously and navigate as in the screenshot. Note that we will use testdb, check for dbo schema and only actions taking place by users which are defined as a DB_Owner:

    Next we define a Server Audit Specification to Capture Schema access:
    Note. This is necessary to capture the events. Previously a Server Audit Specification captured ALL the events across ALL databases.

    To create the same audit using TSQL(which is easier) is as follows:

    tsql
    Line number Off | Hide | Select all
    1. USE [master]
    2. GO
    3.  
    4. CREATE SERVER AUDIT [Filtered]
    5. TO FILE
    6. (   FILEPATH = N'E:\SQLAuditing\'
    7.     ,MAXSIZE = 10 MB
    8.     ,MAX_FILES = 1
    9.     ,RESERVE_DISK_SPACE = OFF
    10. )
    11. WITH
    12. (   QUEUE_DELAY = 1000
    13.     ,ON_FAILURE = CONTINUE
    14.    
    15. )
    16. WHERE ([database_name]='testdb' AND [schema_name]='dbo' AND [object_name]='tab1' AND [database_principal_name]='dbo')
    17. ALTER SERVER AUDIT [Filtered] WITH (STATE = ON)
    18. GO
    19.  
    20. USE [master]
    21. GO
    22.  
    23. CREATE SERVER AUDIT SPECIFICATION [Server_Spec_Filtering]
    24. FOR SERVER AUDIT [Filtered]
    25. ADD (SCHEMA_OBJECT_ACCESS_GROUP)
    26. WITH (STATE = OFF)
    27. GO

    Below is the results of querying an audit file with the filter:

    Other additional functionality is OnError:Fail Operation as well as maximum number of files. Maximum number of files indicates the number of files needed to be kept.

    PBM - Last Take On Auditing Your Audits

    Continuing from the last post, below is some policies which you can use with SQL Server 2008/R2/2012.

    They are as follows:
    1. Audit files.
    2. Database Audits.
    3. Server Audits.

    Note. I included a ServerVersion condition if you intend to use this with the Enterprise Policy Framework. This will only execute the policies against SQL Server 2008 upwards.

    These policies will take a look at the naming convention for the policies as follows:

    Database Audits:

    1. Name starts with 'DBAudit_%.
    2. Audit file name starts with 'DBAudit_Spec_%'.
    3. Audit is enabled.

    Server Audits:

    1. Name starts with 'SQLAudit_%'.
    2. Audit file name starts with 'ServerAudit_%'.
    3. Audit is enabled.

    Audit Files:

    1. Audit file is enabled.
    2. Destination type is file.
    3. 100 Maximum files.
    4. 10 Roll over files
    5. File size is maximum 5GB.
    6. File size unit is GB.
    7. Reserve disk space true.

    Below are the create conditions:

    tsql
    Line number Off | Hide | Select all
    1. --- Audit_Condition
    2.  
    3. Declare @condition_id int
    4. EXEC msdb.dbo.sp_syspolicy_add_condition @name=N'Audit_Condition', @description=N'', @facet=N'Audit', @expression=N'<Operator>
    5.  <TypeClass>Bool</TypeClass>
    6.  <OpType>AND</OpType>
    7.  <Count>2</Count>
    8.  <Operator>
    9.    <TypeClass>Bool</TypeClass>
    10.    <OpType>AND</OpType>
    11.    <Count>2</Count>
    12.    <Operator>
    13.      <TypeClass>Bool</TypeClass>
    14.      <OpType>AND</OpType>
    15.      <Count>2</Count>
    16.      <Operator>
    17.        <TypeClass>Bool</TypeClass>
    18.        <OpType>AND</OpType>
    19.        <Count>2</Count>
    20.        <Operator>
    21.          <TypeClass>Bool</TypeClass>
    22.          <OpType>AND</OpType>
    23.          <Count>2</Count>
    24.          <Operator>
    25.            <TypeClass>Bool</TypeClass>
    26.            <OpType>AND</OpType>
    27.            <Count>2</Count>
    28.            <Operator>
    29.              <TypeClass>Bool</TypeClass>
    30.              <OpType>EQ</OpType>
    31.              <Count>2</Count>
    32.              <Attribute>
    33.                <TypeClass>Bool</TypeClass>
    34.                <Name>Enabled</Name>
    35.              </Attribute>
    36.              <Function>
    37.                <TypeClass>Bool</TypeClass>
    38.                <FunctionType>True</FunctionType>
    39.                <ReturnType>Bool</ReturnType>
    40.                <Count>0</Count>
    41.              </Function>
    42.            </Operator>
    43.            <Operator>
    44.              <TypeClass>Bool</TypeClass>
    45.              <OpType>EQ</OpType>
    46.              <Count>2</Count>
    47.              <Attribute>
    48.                <TypeClass>Numeric</TypeClass>
    49.                <Name>DestinationType</Name>
    50.              </Attribute>
    51.              <Function>
    52.                <TypeClass>Numeric</TypeClass>
    53.                <FunctionType>Enum</FunctionType>
    54.                <ReturnType>Numeric</ReturnType>
    55.                <Count>2</Count>
    56.                <Constant>
    57.                  <TypeClass>String</TypeClass>
    58.                  <ObjType>System.String</ObjType>
    59.                  <Value>Microsoft.SqlServer.Management.Smo.AuditDestinationType</Value>
    60.                </Constant>
    61.                <Constant>
    62.                  <TypeClass>String</TypeClass>
    63.                  <ObjType>System.String</ObjType>
    64.                  <Value>File</Value>
    65.                </Constant>
    66.              </Function>
    67.            </Operator>
    68.          </Operator>
    69.          <Operator>
    70.            <TypeClass>Bool</TypeClass>
    71.            <OpType>EQ</OpType>
    72.            <Count>2</Count>
    73.            <Attribute>
    74.              <TypeClass>Numeric</TypeClass>
    75.              <Name>MaximumFiles</Name>
    76.            </Attribute>
    77.            <Constant>
    78.              <TypeClass>Numeric</TypeClass>
    79.              <ObjType>System.Double</ObjType>
    80.              <Value>100</Value>
    81.            </Constant>
    82.          </Operator>
    83.        </Operator>
    84.        <Operator>
    85.          <TypeClass>Bool</TypeClass>
    86.          <OpType>EQ</OpType>
    87.          <Count>2</Count>
    88.          <Attribute>
    89.            <TypeClass>Numeric</TypeClass>
    90.            <Name>MaximumRolloverFiles</Name>
    91.          </Attribute>
    92.          <Constant>
    93.            <TypeClass>Numeric</TypeClass>
    94.            <ObjType>System.Double</ObjType>
    95.            <Value>10</Value>
    96.          </Constant>
    97.        </Operator>
    98.      </Operator>
    99.      <Operator>
    100.        <TypeClass>Bool</TypeClass>
    101.        <OpType>EQ</OpType>
    102.        <Count>2</Count>
    103.        <Attribute>
    104.          <TypeClass>Numeric</TypeClass>
    105.          <Name>MaximumFileSize</Name>
    106.        </Attribute>
    107.        <Constant>
    108.          <TypeClass>Numeric</TypeClass>
    109.          <ObjType>System.Double</ObjType>
    110.          <Value>5</Value>
    111.        </Constant>
    112.      </Operator>
    113.    </Operator>
    114.    <Operator>
    115.      <TypeClass>Bool</TypeClass>
    116.      <OpType>EQ</OpType>
    117.      <Count>2</Count>
    118.      <Attribute>
    119.        <TypeClass>Numeric</TypeClass>
    120.        <Name>MaximumFileSizeUnit</Name>
    121.      </Attribute>
    122.      <Function>
    123.        <TypeClass>Numeric</TypeClass>
    124.        <FunctionType>Enum</FunctionType>
    125.        <ReturnType>Numeric</ReturnType>
    126.        <Count>2</Count>
    127.        <Constant>
    128.          <TypeClass>String</TypeClass>
    129.          <ObjType>System.String</ObjType>
    130.          <Value>Microsoft.SqlServer.Management.Smo.AuditFileSizeUnit</Value>
    131.        </Constant>
    132.        <Constant>
    133.          <TypeClass>String</TypeClass>
    134.          <ObjType>System.String</ObjType>
    135.          <Value>Gb</Value>
    136.        </Constant>
    137.      </Function>
    138.    </Operator>
    139.  </Operator>
    140.  <Operator>
    141.    <TypeClass>Bool</TypeClass>
    142.    <OpType>EQ</OpType>
    143.    <Count>2</Count>
    144.    <Attribute>
    145.      <TypeClass>Bool</TypeClass>
    146.      <Name>ReserveDiskSpace</Name>
    147.    </Attribute>
    148.    <Function>
    149.      <TypeClass>Bool</TypeClass>
    150.      <FunctionType>True</FunctionType>
    151.      <ReturnType>Bool</ReturnType>
    152.      <Count>0</Count>
    153.    </Function>
    154.  </Operator>
    155. </Operator>', @is_name_condition=0, @obj_name=N'', @condition_id=@condition_id OUTPUT
    156. Select @condition_id
    157.  
    158. GO
    159.  
    160.  
    161. --- DatabaseAudit_Condition
    162.  
    163. Declare @condition_id int
    164. EXEC msdb.dbo.sp_syspolicy_add_condition @name=N'DatabaseAudit_Condition', @description=N'', @facet=N'DatabaseAuditSpecification', @expression=N'<Operator>
    165.  <TypeClass>Bool</TypeClass>
    166.  <OpType>AND</OpType>
    167.  <Count>2</Count>
    168.  <Operator>
    169.    <TypeClass>Bool</TypeClass>
    170.    <OpType>AND</OpType>
    171.    <Count>2</Count>
    172.    <Operator>
    173.      <TypeClass>Bool</TypeClass>
    174.      <OpType>LIKE</OpType>
    175.      <Count>2</Count>
    176.      <Attribute>
    177.        <TypeClass>String</TypeClass>
    178.        <Name>AuditName</Name>
    179.      </Attribute>
    180.      <Constant>
    181.        <TypeClass>String</TypeClass>
    182.        <ObjType>System.String</ObjType>
    183.        <Value>DBAudit_%</Value>
    184.      </Constant>
    185.    </Operator>
    186.    <Operator>
    187.      <TypeClass>Bool</TypeClass>
    188.      <OpType>LIKE</OpType>
    189.      <Count>2</Count>
    190.      <Attribute>
    191.        <TypeClass>String</TypeClass>
    192.        <Name>Name</Name>
    193.      </Attribute>
    194.      <Constant>
    195.        <TypeClass>String</TypeClass>
    196.        <ObjType>System.String</ObjType>
    197.        <Value>DBAudit_Spec_%</Value>
    198.      </Constant>
    199.    </Operator>
    200.  </Operator>
    201.  <Operator>
    202.    <TypeClass>Bool</TypeClass>
    203.    <OpType>EQ</OpType>
    204.    <Count>2</Count>
    205.    <Attribute>
    206.      <TypeClass>Bool</TypeClass>
    207.      <Name>Enabled</Name>
    208.    </Attribute>
    209.    <Function>
    210.      <TypeClass>Bool</TypeClass>
    211.      <FunctionType>True</FunctionType>
    212.      <ReturnType>Bool</ReturnType>
    213.      <Count>0</Count>
    214.    </Function>
    215.  </Operator>
    216. </Operator>', @is_name_condition=0, @obj_name=N'', @condition_id=@condition_id OUTPUT
    217. Select @condition_id
    218.  
    219. GO
    220.  
    221.  
    222.  
    223. --- ServerAudit_Condition
    224.  
    225. Declare @condition_id int
    226. EXEC msdb.dbo.sp_syspolicy_add_condition @name=N'ServerAudit_Condition', @description=N'', @facet=N'ServerAuditSpecification', @expression=N'<Operator>
    227.  <TypeClass>Bool</TypeClass>
    228.  <OpType>AND</OpType>
    229.  <Count>2</Count>
    230.  <Operator>
    231.    <TypeClass>Bool</TypeClass>
    232.    <OpType>AND</OpType>
    233.    <Count>2</Count>
    234.    <Operator>
    235.      <TypeClass>Bool</TypeClass>
    236.      <OpType>LIKE</OpType>
    237.      <Count>2</Count>
    238.      <Attribute>
    239.        <TypeClass>String</TypeClass>
    240.        <Name>AuditName</Name>
    241.      </Attribute>
    242.      <Constant>
    243.        <TypeClass>String</TypeClass>
    244.        <ObjType>System.String</ObjType>
    245.        <Value>SQLAudit_%</Value>
    246.      </Constant>
    247.    </Operator>
    248.    <Operator>
    249.      <TypeClass>Bool</TypeClass>
    250.      <OpType>LIKE</OpType>
    251.      <Count>2</Count>
    252.      <Attribute>
    253.        <TypeClass>String</TypeClass>
    254.        <Name>Name</Name>
    255.      </Attribute>
    256.      <Constant>
    257.        <TypeClass>String</TypeClass>
    258.        <ObjType>System.String</ObjType>
    259.        <Value>ServerAudit_%</Value>
    260.      </Constant>
    261.    </Operator>
    262.  </Operator>
    263.  <Operator>
    264.    <TypeClass>Bool</TypeClass>
    265.    <OpType>EQ</OpType>
    266.    <Count>2</Count>
    267.    <Attribute>
    268.      <TypeClass>Bool</TypeClass>
    269.      <Name>Enabled</Name>
    270.    </Attribute>
    271.    <Function>
    272.      <TypeClass>Bool</TypeClass>
    273.      <FunctionType>True</FunctionType>
    274.      <ReturnType>Bool</ReturnType>
    275.      <Count>0</Count>
    276.    </Function>
    277.  </Operator>
    278. </Operator>', @is_name_condition=0, @obj_name=N'', @condition_id=@condition_id OUTPUT
    279. Select @condition_id
    280.  
    281. GO
    282.  
    283.  
    284. ---ServerVersion
    285.  
    286. Declare @condition_id int
    287. EXEC msdb.dbo.sp_syspolicy_add_condition @name=N'ServerVersion', @description=N'', @facet=N'Server', @expression=N'<Operator>
    288.  <TypeClass>Bool</TypeClass>
    289.  <OpType>OR</OpType>
    290.  <Count>2</Count>
    291.  <Operator>
    292.    <TypeClass>Bool</TypeClass>
    293.    <OpType>EQ</OpType>
    294.    <Count>2</Count>
    295.    <Attribute>
    296.      <TypeClass>Numeric</TypeClass>
    297.      <Name>VersionMajor</Name>
    298.    </Attribute>
    299.    <Constant>
    300.      <TypeClass>Numeric</TypeClass>
    301.      <ObjType>System.Double</ObjType>
    302.      <Value>10</Value>
    303.    </Constant>
    304.  </Operator>
    305.  <Operator>
    306.    <TypeClass>Bool</TypeClass>
    307.    <OpType>EQ</OpType>
    308.    <Count>2</Count>
    309.    <Attribute>
    310.      <TypeClass>Numeric</TypeClass>
    311.      <Name>VersionMajor</Name>
    312.    </Attribute>
    313.    <Constant>
    314.      <TypeClass>Numeric</TypeClass>
    315.      <ObjType>System.Double</ObjType>
    316.      <Value>11</Value>
    317.    </Constant>
    318.  </Operator>
    319. </Operator>', @is_name_condition=0, @obj_name=N'', @condition_id=@condition_id OUTPUT
    320. Select @condition_id
    321.  
    322. GO

    Next are the policies:

    tsql
    Line number Off | Hide | Select all
    1. Declare @object_set_id int
    2. EXEC msdb.dbo.sp_syspolicy_add_object_set @object_set_name=N'Audit_Policy_ObjectSet', @facet=N'Audit', @object_set_id=@object_set_id OUTPUT
    3. Select @object_set_id
    4.  
    5. Declare @target_set_id int
    6. EXEC msdb.dbo.sp_syspolicy_add_target_set @object_set_name=N'Audit_Policy_ObjectSet', @type_skeleton=N'Server/Audit', @type=N'AUDIT', @enabled=True, @target_set_id=@target_set_id OUTPUT
    7. Select @target_set_id
    8.  
    9. EXEC msdb.dbo.sp_syspolicy_add_target_set_level @target_set_id=@target_set_id, @type_skeleton=N'Server/Audit', @level_name=N'Audit', @condition_name=N'', @target_set_level_id=0
    10. GO
    11.  
    12. Declare @policy_id int
    13. EXEC msdb.dbo.sp_syspolicy_add_policy @name=N'Audit_Policy', @condition_name=N'Audit_Condition', @policy_category=N'', @description=N'', @help_text=N'', @help_link=N'', @schedule_uid=N'00000000-0000-0000-0000-000000000000', @execution_mode=0, @is_enabled=False, @policy_id=@policy_id OUTPUT, @root_condition_name=N'ServerVersion', @object_set=N'Audit_Policy_ObjectSet'
    14. Select @policy_id
    15. GO
    16.  
    17. Declare @object_set_id int
    18. EXEC msdb.dbo.sp_syspolicy_add_object_set @object_set_name=N'DatabaseAudit_Policy_ObjectSet', @facet=N'DatabaseAuditSpecification', @object_set_id=@object_set_id OUTPUT
    19. Select @object_set_id
    20.  
    21. Declare @target_set_id int
    22. EXEC msdb.dbo.sp_syspolicy_add_target_set @object_set_name=N'DatabaseAudit_Policy_ObjectSet', @type_skeleton=N'Server/Database/DatabaseAuditSpecification', @type=N'DATABASEAUDITSPECIFICATION', @enabled=True, @target_set_id=@target_set_id OUTPUT
    23. Select @target_set_id
    24.  
    25. EXEC msdb.dbo.sp_syspolicy_add_target_set_level @target_set_id=@target_set_id, @type_skeleton=N'Server/Database/DatabaseAuditSpecification', @level_name=N'DatabaseAuditSpecification', @condition_name=N'', @target_set_level_id=0
    26. EXEC msdb.dbo.sp_syspolicy_add_target_set_level @target_set_id=@target_set_id, @type_skeleton=N'Server/Database', @level_name=N'Database', @condition_name=N'', @target_set_level_id=0
    27. GO
    28.  
    29. Declare @policy_id int
    30. EXEC msdb.dbo.sp_syspolicy_add_policy @name=N'DatabaseAudit_Policy', @condition_name=N'DatabaseAudit_Condition', @policy_category=N'', @description=N'', @help_text=N'', @help_link=N'', @schedule_uid=N'00000000-0000-0000-0000-000000000000', @execution_mode=0, @is_enabled=False, @policy_id=@policy_id OUTPUT, @root_condition_name=N'ServerVersion', @object_set=N'DatabaseAudit_Policy_ObjectSet'
    31. Select @policy_id
    32. GO
    33.  
    34. Declare @object_set_id int
    35. EXEC msdb.dbo.sp_syspolicy_add_object_set @object_set_name=N'ServerAudit_Policy_ObjectSet', @facet=N'ServerAuditSpecification', @object_set_id=@object_set_id OUTPUT
    36. Select @object_set_id
    37.  
    38. Declare @target_set_id int
    39. EXEC msdb.dbo.sp_syspolicy_add_target_set @object_set_name=N'ServerAudit_Policy_ObjectSet', @type_skeleton=N'Server/ServerAuditSpecification', @type=N'SERVERAUDITSPECIFICATION', @enabled=True, @target_set_id=@target_set_id OUTPUT
    40. Select @target_set_id
    41.  
    42. EXEC msdb.dbo.sp_syspolicy_add_target_set_level @target_set_id=@target_set_id, @type_skeleton=N'Server/ServerAuditSpecification', @level_name=N'ServerAuditSpecification', @condition_name=N'', @target_set_level_id=0
    43. GO
    44.  
    45. Declare @policy_id int
    46. EXEC msdb.dbo.sp_syspolicy_add_policy @name=N'ServerAudit_Policy', @condition_name=N'ServerAudit_Condition', @policy_category=N'', @description=N'', @help_text=N'', @help_link=N'', @schedule_uid=N'00000000-0000-0000-0000-000000000000', @execution_mode=0, @is_enabled=False, @policy_id=@policy_id OUTPUT, @root_condition_name=N'ServerVersion', @object_set=N'ServerAudit_Policy_ObjectSet'
    47. Select @policy_id
    48. GO

    This concludes the PBM monitoring for this series. the conditions can be changed as per your needs, and the name prefixes are only suggestions that will work well with a central repository.

    The Auditing Repository

    So you are capturing audits to a remote server, and they are all sitting there and getting backed up occasionally. Current value of the auditing? Zero, NULL.

    In this form they're not providing you with any insight. Let's rather pull it into a database. First off we need one:

    tsql
    Line number Off | Hide | Select all
    1. /*
    2. This is just a template to create a table that will host the audit information.
    3. Personally I would recommend to use the following format to name the table especially if it gets centralized:
    4.  
    5. For database audits:
    6. <DBAudit>_<Action>
    7.  
    8. For server audits:
    9. <SQLAudit>_<Action>
    10.  
    11. Then personally I use the following for the specifications:
    12.  
    13. <ServerAudit>_<Action>
    14. <DBAudit>_<Spec>_<Action>
    15.  
    16. This makes it easier for naming the tables where I would take the following approach:
    17.  
    18. <SERVERNAME>_<AUDIT>_<ACTIONS>_<DATABASE_NAME> (OPTIONAL for database audits)
    19. */
    20.  
    21. if exists(select name from sys.databases where name = '[AuditingLogs]')
    22. drop database [AuditingLogs];
    23. go
    24.  
    25. CREATE DATABASE [AuditingLogs];
    26. go
    27.  
    28. USE [AuditingLogs];
    29. GO;
    30.  
    31. CREATE TABLE [dbo].[AuditTable_Template](
    32.     [event_time] [datetime2](7) NOT NULL,
    33.     [sequence_number] [int] NULL,
    34.     [action_id] [char](4) NULL,
    35.     [succeeded] [bit] NULL,
    36.     [permission_bitmask] [bigint] NULL,
    37.     [is_column_permission] [bit] NULL,
    38.     [session_id] [int] NULL,
    39.     [server_principal_id] [int] NULL,
    40.     [database_principal_id] [int] NULL,
    41.     [target_server_principal_id] [int] NULL,
    42.     [target_database_principal_id] [int] NULL,
    43.     [object_id] [int] NULL,
    44.     [class_type] [char](2) NULL,
    45.     [session_server_principal_name] [nchar](30) NULL,
    46.     [server_principal_name] [nchar](30) NULL,
    47.     [server_principal_sid] [varbinary](50) NULL,
    48.     [database_principal_name] [nchar](30) NULL,
    49.     [target_server_principal_name] [nchar](30) NULL,
    50.     [target_server_principal_sid] [varbinary](50) NULL,
    51.     [target_database_principal_name] [nchar](30) NULL,
    52.     [server_instance_name] [nvarchar](120) NULL,
    53.     [database_name] [nvarchar](120) NULL,
    54.     [schema_name] [nvarchar](120) NULL,
    55.     [object_name] [nvarchar](120) NULL,
    56.     [statement] [nvarchar](4000) NULL,
    57.     [additional_information] [nvarchar](4000) NULL,
    58.     [file_name] [varchar](260) NULL,
    59.     [audit_file_offset] [bigint] NULL,
    60.     [user_defined_event_id] [bit] NULL,
    61.     [user_defined_information] [nvarchar](4000) NULL,
    62.  CONSTRAINT [PK_AuditTable_Template] PRIMARY KEY CLUSTERED
    63. (
    64.     [event_time] ASC
    65. )WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
    66. ) ON [PRIMARY]
    67.  
    68. GO
    69. SET ANSI_PADDING OFF
    70. GO

    This gives us our database, you can just move you files to the correct directory as well as add all the secondary files and file groups you need to sustain this. There is also a table "template" with which to create your tables. Each table will be specific to an audit file.

    Next we need to get the audit information into the database, below is the script I used and can be modified to fit into either a SQL Job or SSIS package.

    tsql
    Line number Off | Hide | Select all
    1. /*
    2. This script contains some insert statements as to how you will go about inserting your captured audit events into a SQL database.
    3. Note that I am using event_time as this is the most unique value that will be written down. I am also reading all the information
    4. into the database as you may need this for regulatory requirements.
    5. */
    6.  
    7. USE AuditingLogs;
    8. go
    9.  
    10.  
    11. INSERT  INTO AuditingLogs.dbo.[Table]
    12.         SELECT  *
    13.         FROM    sys.fn_get_audit_file(file'*.sqlaudit',
    14.                                       DEFAULT, DEFAULT) gaf
    15.         WHERE   gaf.event_time NOT IN ( SELECT  event_time
    16.                                         FROM    table )
    17.  
    18.  
    19. INSERT  INTO AuditingLogs.dbo.[Table]
    20.         SELECT  *
    21.         FROM    sys.fn_get_audit_file('file*.sqlaudit',
    22.                                       DEFAULT, DEFAULT) gaf
    23.         WHERE   gaf.event_time NOT IN ( SELECT  event_time
    24.                                         FROM    table  )
    25.  
    26.  
    27. INSERT  INTO AuditingLogs.dbo.[Table]
    28.         SELECT  *
    29.         FROM    sys.fn_get_audit_file('file*.sqlaudit',
    30.                                       DEFAULT, DEFAULT) gaf
    31.         WHERE   gaf.event_time NOT IN ( SELECT  event_time
    32.                                         FROM    table  )

    This is currently very basic, and I included some comments into the scripts to give you an overview of what is going on.

    For one of the audits used in demoing the SQL Server Auditing feature, I pulled all the information into a table. As per the sys.fn_get_audit_file we can return the same results from the table. In the following example I'm using sys.dm_audit_actions to join to the table to make the information more clear:

    tsql
    Line number Off | Hide | Select all
    1. USE AuditingLogs ;
    2. go
    3.  
    4. SELECT  del.[event_time] ,
    5.         aa.name ,
    6.         aa.action_in_log ,
    7.         del.[session_id] ,
    8.         del.[session_server_principal_name] ,
    9.         del.[server_instance_name] ,
    10.         del.[database_name] ,
    11.         del.[object_name] ,
    12.         del.[statement]
    13. FROM    [dbo].[SQL2012_DBAudit_Deletes] del
    14.         JOIN sys.dm_audit_actions aa ON aa.action_id = del.action_id
    15. ORDER BY del.event_time ASC

    This is the result:

    Currently the database is only hosting the information and it will be nice if Microsoft will add the ability to audit directly to a table in future versions of SQL Server.

    Closing the Chapter

    The auditing feature very useful, and is significantly more so than C2 auditing due to the level of granularity. This is also one of the drawbacks; if the auditing is not well planned out it can bring your database or even server to its knees. As with all auditing mechanisms this feature can chew it's way through SAN and a lot of thought needs to go into planning this, and if done so, will pay off greatly in the end. With filtering included in SQL Server 2012 it relieves some of this drawbacks in terms of the impact across a SQL Server instance. Overall I think it's a great feature, and it still has the ability to improve greatly.

    Below are the links to the rest of the series:

    SQL Server Auditing: Introduction
    SQL Server Auditing: Creating a Server Specification
    SQL Server Auditing: Creating a Database Specification
    SQL Server Auditing: Managing Your Audits

    Note. Keep an eye on LessThanDot.com to see some cool things happen to the audit repository!!!

    About the Author

    Stephan specializes in MS SQL Server technology stack with the main focus on the database engine component as well as high availability, automation, troubleshooting and optimization. Currently he holds a position at Microsoft South Africa (EMEA) as a Premier Field Engineer for MS SQL Server, to support multiple Premier customers.
    Social SitingsTwitterLinkedInLTD RSS Feed
    1238 views
    Read More Posts by SQLArcher
    InstapaperVote on HN

    No feedback yet

    Leave a comment


    Your email address will not be revealed on this site.

    To mislead the spambots.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS