Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

Data Management

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    azure book business intelligence ctp database dates denali dmv functions gotcha high availability how to howto indexing mirroring performance sql sql friday sql server sql server 2000 sql server 2005 sql server 2008 sql server 2008 r2 sql server 2012 sql server denali sql server integration services ssis t-sql tip trick

    Authors

    Main Categories

    Search

    XML Feeds

    What is RSS?

    Google Ads

    « Scripting data in SQL Server 2012Displaying and Saving Unicode data in Visual FoxPro desktop application »
    1
    comments

    SQL Server Auditing: Managing Your Audits

    by SQLArcher on Jan 02, 2012 in categories Database Administration, Microsoft SQL Server Admin
    Instapaper

    So far in the SQL Server Audit series we've looked at the different components that make up the auditing feature as well as how to create the audits with specifications specific to databases as well as server level.

    Here is the links to the posts covering the topics:

    SQL Server Auditing: Introduction
    SQL Server Auditing: Creating a Server Specification
    SQL Server Auditing: Creating a Database Specification

    Now that we have set up our audits covering failed logins on instance level and deletes on database level, let's take a look at how we can see what audits are on a server as well as some views to make your life easier with reading the audit files.

    DMV's and Views

    First off, let's see what views are available at our disposal:

    tsql
    Line number Off | Hide | Select all
    1. USE master;
    2. GO
    3. SELECT name,[object_id] FROM [sys].[all_objects]
    4. WHERE TYPE = 'v' AND NAME LIKE '%audit%';
    5. GO

    This returns the following for us:

    DMV's

    So what does the audit DMV's do? Let's take a look:

    sys.dm_audit_actions

    This DMV contains friendlier names, as well as all the actions as well as which action groups they belong to across database and server level specifications.

    sys.dm_audit_class_type_map

    This contains all the audit classes and action groups available.

    sys.dm_server_audit_status

    This takes a specific look at the audits defined on the server and returns info such as what audits are enabled, statuses for the audits, event times, etc.

    Sys.dm_audit_class_type_map and sys.dm_audit_actions are especially useful to join with the other views to get a more easily readable report on the audits, or to join it with the fn_get_audit_file function when reading audit files.

    Server Views

    The server views are split up into two "sections", one for the audits, and the second for the server specification details.

    Audits:
    sys.server_audits
    sys.server_file_audits

    These views contain details about the server level audits defined on the server, This returns information such as audit names, file names and paths, audit id's, statuses, etc.

    Specification:
    sys.server_audit_specification_details
    sys.server_audit_specifications

    These views are very helpful when you have multiple audits on a server, and matching the various defined audit actions as well as their groups to audits.

    Database Views

    The database views available are almost identical to the server level ones, except the fact that it's specific to databases, and that there are no "audit" views; only for database specifications. Another thing to note is, that these views won't return information across databases on an instance, this needs to be executed per database.

    sys.database_audit_specification_details
    sys.database_audit_specifications

    The views return the specification names, enabled audit actions, audit results, etc.

    Now that we've got the views covered, a question still lingers... "How do we manage audits across multiple servers?" Well the answer is quite simple, we make use of another new feature introduced in SQL Server 2008 which is Policy Based Management, otherwise known as PBM.

    So PBM is a subject on it's own, so I will not go in depth into this topic.

    A key resource required for monitoring your environment is the Enterprise Policy Framework.

    Below is a test policy I created for the post and will monitor the audits for the following:

    1. Maximum File Size
    2. On Failure Action
    3. Reserve Disk Space
    4. Maximum Rollover Files
    5. Maximum File Size Unit ( MB, GB or TB )

    tsql
    Line number Off | Hide | Select all
    1. -- Creates the policy condition
    2.  
    3. Declare @condition_id int
    4. EXEC msdb.dbo.sp_syspolicy_add_condition @name=N'Audit_Policy_Con', @description=N'', @facet=N'Audit', @expression=N'<Operator>
    5.  <TypeClass>Bool</TypeClass>
    6.  <OpType>AND</OpType>
    7.  <Count>2</Count>
    8.  <Operator>
    9.    <TypeClass>Bool</TypeClass>
    10.    <OpType>AND</OpType>
    11.    <Count>2</Count>
    12.    <Operator>
    13.      <TypeClass>Bool</TypeClass>
    14.      <OpType>AND</OpType>
    15.      <Count>2</Count>
    16.      <Operator>
    17.        <TypeClass>Bool</TypeClass>
    18.        <OpType>AND</OpType>
    19.        <Count>2</Count>
    20.        <Operator>
    21.          <TypeClass>Bool</TypeClass>
    22.          <OpType>EQ</OpType>
    23.          <Count>2</Count>
    24.          <Attribute>
    25.            <TypeClass>Numeric</TypeClass>
    26.            <Name>MaximumFileSize</Name>
    27.          </Attribute>
    28.          <Constant>
    29.            <TypeClass>Numeric</TypeClass>
    30.            <ObjType>System.Double</ObjType>
    31.            <Value>100</Value>
    32.          </Constant>
    33.        </Operator>
    34.        <Operator>
    35.          <TypeClass>Bool</TypeClass>
    36.          <OpType>EQ</OpType>
    37.          <Count>2</Count>
    38.          <Attribute>
    39.            <TypeClass>Numeric</TypeClass>
    40.            <Name>OnFailure</Name>
    41.          </Attribute>
    42.          <Function>
    43.            <TypeClass>Numeric</TypeClass>
    44.            <FunctionType>Enum</FunctionType>
    45.            <ReturnType>Numeric</ReturnType>
    46.            <Count>2</Count>
    47.            <Constant>
    48.              <TypeClass>String</TypeClass>
    49.              <ObjType>System.String</ObjType>
    50.              <Value>Microsoft.SqlServer.Management.Smo.OnFailureAction</Value>
    51.            </Constant>
    52.            <Constant>
    53.              <TypeClass>String</TypeClass>
    54.              <ObjType>System.String</ObjType>
    55.              <Value>Continue</Value>
    56.            </Constant>
    57.          </Function>
    58.        </Operator>
    59.      </Operator>
    60.      <Operator>
    61.        <TypeClass>Bool</TypeClass>
    62.        <OpType>EQ</OpType>
    63.        <Count>2</Count>
    64.        <Attribute>
    65.          <TypeClass>Bool</TypeClass>
    66.          <Name>ReserveDiskSpace</Name>
    67.        </Attribute>
    68.        <Function>
    69.          <TypeClass>Bool</TypeClass>
    70.          <FunctionType>False</FunctionType>
    71.          <ReturnType>Bool</ReturnType>
    72.          <Count>0</Count>
    73.        </Function>
    74.      </Operator>
    75.    </Operator>
    76.    <Operator>
    77.      <TypeClass>Bool</TypeClass>
    78.      <OpType>EQ</OpType>
    79.      <Count>2</Count>
    80.      <Attribute>
    81.        <TypeClass>Numeric</TypeClass>
    82.        <Name>MaximumRolloverFiles</Name>
    83.      </Attribute>
    84.      <Constant>
    85.        <TypeClass>Numeric</TypeClass>
    86.        <ObjType>System.Double</ObjType>
    87.        <Value>100</Value>
    88.      </Constant>
    89.    </Operator>
    90.  </Operator>
    91.  <Operator>
    92.    <TypeClass>Bool</TypeClass>
    93.    <OpType>EQ</OpType>
    94.    <Count>2</Count>
    95.    <Attribute>
    96.      <TypeClass>Numeric</TypeClass>
    97.      <Name>MaximumFileSizeUnit</Name>
    98.    </Attribute>
    99.    <Function>
    100.      <TypeClass>Numeric</TypeClass>
    101.      <FunctionType>Enum</FunctionType>
    102.      <ReturnType>Numeric</ReturnType>
    103.      <Count>2</Count>
    104.      <Constant>
    105.        <TypeClass>String</TypeClass>
    106.        <ObjType>System.String</ObjType>
    107.        <Value>Microsoft.SqlServer.Management.Smo.AuditFileSizeUnit</Value>
    108.      </Constant>
    109.      <Constant>
    110.        <TypeClass>String</TypeClass>
    111.        <ObjType>System.String</ObjType>
    112.        <Value>Mb</Value>
    113.      </Constant>
    114.    </Function>
    115.  </Operator>
    116. </Operator>', @is_name_condition=0, @obj_name=N'', @condition_id=@condition_id OUTPUT
    117. Select @condition_id
    118.  
    119. GO
    120.  
    121. -- Creates the Policy
    122.  
    123. Declare @object_set_id int
    124. EXEC msdb.dbo.sp_syspolicy_add_object_set @object_set_name=N'Audit_Policy_ObjectSet', @facet=N'Audit', @object_set_id=@object_set_id OUTPUT
    125. Select @object_set_id
    126.  
    127. Declare @target_set_id int
    128. EXEC msdb.dbo.sp_syspolicy_add_target_set @object_set_name=N'Audit_Policy_ObjectSet', @type_skeleton=N'Server/Audit', @type=N'AUDIT', @enabled=True, @target_set_id=@target_set_id OUTPUT
    129. Select @target_set_id
    130.  
    131. EXEC msdb.dbo.sp_syspolicy_add_target_set_level @target_set_id=@target_set_id, @type_skeleton=N'Server/Audit', @level_name=N'Audit', @condition_name=N'', @target_set_level_id=0
    132. GO
    133.  
    134. Declare @policy_id int
    135. EXEC msdb.dbo.sp_syspolicy_add_policy @name=N'Audit_Policy', @condition_name=N'Audit_Policy_Con', @policy_category=N'', @description=N'', @help_text=N'', @help_link=N'', @schedule_uid=N'00000000-0000-0000-0000-000000000000', @execution_mode=0, @is_enabled=False, @policy_id=@policy_id OUTPUT, @root_condition_name=N'', @object_set=N'Audit_Policy_ObjectSet'
    136. Select @policy_id
    137. GO

    This is just a basic policy using the "audit" facet. There are additional facets for Database Audit Specifications as well as Server Audit Specifications.

    Additionally if you decide to use the Enterprise Policy Framework, it should be noted that you need an additional condition to be set up on the policy that will only evaluate the policy against SQL Server 2008+.

    Last Thoughts

    These are the views we can use to discover what audits are running across an instance or databases, which actions we are auditing for and a brief policy we can use when we have to manage the audit files specifically to ensure we have a set standard.

    About the Author

    Stephan specializes in MS SQL Server technology stack with the main focus on the database engine component as well as high availability, automation, troubleshooting and optimization. Currently he holds a position at Microsoft South Africa (EMEA) as a Premier Field Engineer for MS SQL Server.
    Social SitingsTwitterLinkedInLTD RSS Feed
    548 views
    Read More Posts by SQLArcher
    Instapaper

    1 comment

    Comment from: Server Audit [Visitor] · http://www.stealthbits.com/
    Server Audit Hi,

    Thanks for sharing such a informative post.You have explained very easily that everyone understand that.Its very helpful.
    01/23/12 @ 20:48

    Leave a comment


    Your email address will not be revealed on this site.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS