- Audit on SQL Server (Server Audit)
- How to Create an Audit to Monitor Job Creation, Modification, and Deletion in SQL Server
- How to create an Audit trigger to log object manipulation in SQL Server
- SQL Server - How to implement audit and control of logins (Logon Trigger)
- Monitoring DDL and DCL Operations Using SQL Server fn_trace_gettable
- Using SQL Server Standard Trace to Audit Events (fn_trace_gettable)
- SQL Server - Permissions and privileges audit trigger at database and instance level (GRANT and REVOKE)
- SQL Server - How to Monitor and Audit Data Changes in Tables Using Change Data Capture (CDC)
- SQL Server 2016 - How to “Time Travel” Using the Temporal Tables Feature
- SQL Server - How to use auditing to map actual required permissions on a user
- SQL Server - Trigger to prevent and prevent changes to tables
- SQL Server - How to Create a Data Change History for Your Tables (Audit Logs)
- SQL Server - How to Avoid Brute Force Attacks on Your Database
- SQL Server Security Checklist - An SP with more than 70 security items to validate your database.
- SQL Server - How to know the date of a user's last login
- SQL Server - How to Avoid and Protect Against Ransomware Attacks Like WannaCry on Your Database Server
- SQL Server – Beware of server role securityadmin! Using privilege elevation to become sysadmin
- SQL Server - How to Avoid SQL Injection? Stop using Dynamic Query as EXEC (@Query). Now.
- SQL Server - Understanding the Risks of TRUSTWORTHY Property Enabled in a Database
- SQL Server - Password Policies, Password Expiration, Mandatory Password Change, and Login Lockout after N attempts
Hello guys!
Good night!
In this post I will demonstrate how to create Server Audit in SQL Server. This feature is very interesting for auditing DDL and / or DML (Database Audit Specification) actions performed by a user or application or even the instance itself (Server Audit Specification).
Creating an interface audit (GUI)
Open SQL Server Management Studio, select the category Security> Audits> Right click> Select the option “New Audit…”
When you set auditing, recorded data can be saved in 3 ways:
- File: A physical file is generated on disk containing the data collected by the audit.
- Security Log: Data collected by the audit is stored in the server security log.
- Application Log: Data collected by the audit is stored in the server application log.
In this post, I will choose to burn to physical file on disk. By selecting this option you can still specify the file name where it will be saved, the maximum size and choose whether you already want to pre-reserve this maximum disk space (ie if you choose the maximum size of 10 GB, SQL Server will already create this file with allocated space 10 GB)
After creating the Audit, you must enable it by right clicking on it in the Object Explorer and then selecting the option “Enable Audit”
Creating a server-level audit (Server Audit Specification)
Now that the audit object has been created, we can create the audit definition object (Server Audit Specification).
Select the instance and select the Security category> Server Audit Specification> Right click> Select the “New Server Audit Specification” option
In this screen, you can define what you want to monitor, as shown below:
After choosing the audit types (in this example, I want to audit database creation / deletion), click OK and enable the audit specification:
Creating a database audit (Database Audit Specification)
A very nice feature that can often replace the use of triggers is the creation of database level audit routines. In this example, I will create an audit to record changes made to a specific table.
To create a database-level audit, select the instance and then the database to be audited, expand the Security category, select the Database Audit Specifications sub-category, right-click and select the “New Database Audit Specification ”
In this screen we can define what we want to audit in this database.
In the above configuration, I set to audit the following operations:
- DELETEs performed in the Tests database by the user “Usuario_Teste”
- INSERTs made in the Customers table made by any user.
- INSERTs on any object in the dbo schema, made by any user.
After performing the configuration, remember to activate the audit by right clicking on it and selecting the option “Enable Database Audit Specification” and your audit is activated!
Viewing collected data
To view the data that was collected by the Audit, just right-click on the Audit (not the Specification) and select the option “View Audit Logs”
Creating a command line audit
After all this post explaining how to create database and server audits using the SQL Server Management Studio screens, I will briefly explain how to create these same audits via command line, which is a much more practical way to replicate across multiple servers and fix more. knowledge of the DBA.
With the commands below, I already create auditing (and active), server and database auditing (both already enabled as well).
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | USE [master] GO CREATE SERVER AUDIT [Auditoria_Arquivo] TO FILE ( FILEPATH = N'C:\' ,MAXSIZE = 100 MB ,MAX_ROLLOVER_FILES = 2147483647 ,RESERVE_DISK_SPACE = OFF ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ) GO ALTER SERVER AUDIT Auditoria_Arquivo WITH (STATE = ON) CREATE SERVER AUDIT SPECIFICATION [Criação de Banco de Dados] FOR SERVER AUDIT [Auditoria_Arquivo] ADD (DATABASE_CHANGE_GROUP) WITH (STATE = ON) GO USE [Testes] GO CREATE DATABASE AUDIT SPECIFICATION [Audita_DML] FOR SERVER AUDIT [Auditoria_Arquivo] ADD (DELETE ON DATABASE::[Testes] BY [Usuario_Teste]), ADD (INSERT ON SCHEMA::[dbo] BY [public]), ADD (INSERT ON OBJECT::[dbo].[Clientes] BY [public]) WITH (STATE = ON) GO |
Viewing the logs
Using simple queries, we can easily read the monitored data and work with this information:
| 1 2 3 4 5 6 7 | -- Retorna as informações de um arquivo específico SELECT * FROM Sys.fn_get_audit_file('C:\Auditoria_Arquivo_75804C51-45C9-423C-B570-B24202AD13D3_0_130899437085570000.sqlaudit',default,default) -- Retorna as informações de todos os arquivos SELECT event_time,action_id,server_principal_name,statement,* FROM Sys.fn_get_audit_file('C:\*.sqlaudit',default,default) |
And the visualized data looks like this:
Thank you and see you next time!
Hello, seeing the audit logs (inserts, deletes, updates) only appears the @ variables and not the contents, as they arrive on the server. Any parameters?
Sandro, the audit does not capture the same content. The idea is just to audit what was done and by whom. To create a change history, you must implement audit trigger or cdc I quoted)
A pity Dirceu, because knowing what has changed in terms of data is basic to any audit, but it was worth it. Another question, can you know if it was the user of the database that the application uses or a person with knowledge of this user and password who accessed a machine and ran the command via query analyzer?
Is it possible to display the IP or name of the client machine that performed the operation on the server?
Hello good day. This is not possible with SQL Audit, but you can get this information using SQL Profiler (Trace). Take a look at this post that I demonstrate how to use this feature: http://www.dirceuresende.com/blog/sql-server-como-auditar-erros-de-permissao-em-objetos-utilizando-o-sql-profiler-trace/
Excellent Post Dirceu! Very simple and practical. I followed the walkthrough and created an audit within minutes. Just complementing the post, some editions of SQL Server (Bussiness Intelligence, Standard, Web, and Express) do not support database level auditing, only at server level. Below is a link for reference. hug
https://www.logbinder.com/Content/Blog.aspx?p=d1f5efd3-d0a8-4c3e-82a5-6c8fc7e7f672
Thanks Luiz Vitor! Thanks for the info 🙂