SQL Server - How to Implement Audit and Logon Control (Logon Trigger)

Views: 6.993 views

In this article

This post is the 4 part of 20 in the series. Security and Audit

Reading Time: 8 minutes

Hello people,
Good afternoon!

In this post I will demonstrate to you some cool features of logon triggers such as creating an audit log for each user who connects to your database, blocking connections from a user / IP / Hostname and blocking connections at a certain time.

NOTICE

First of all, I would like to warn you about DANGER when using logon triggering. Keep in mind that this trigger will be executed every time a new connection is opened in the database. In addition to slowing down the logon process according to your trigger code, if the user is not allowed to perform any trigger operation or even if the trigger has any errors, you can prevent ALL users from instance connect to SQL Server.

That is, BE VERY CAREFUL, because you can stop the instance if you activate a trigger without first testing it very well. Before enabling a logon trigger, I always recommend activating the DAC connection, to ensure that you can connect to the instance in case the trigger has problems. Another tip is to always leave a user on the list of exceptions (like the “sa” in the example) in case the trigger has an error, it is easier to connect to the instance to drop the trigger.

To know how to do this, visit my article. Enabling and using dedicated remote administrator connection (DAC) in SQL Server.

If you have already created the trigger, it is preventing users from connecting, you have not enabled the DAC connection, and are already having trouble logging in to the instance, an alternative is to add the -f parameter at startup of the SQL Server service to start SQL Server with minimal configuration, drop the trigger and restart the service without -f.

Auditing and logging Logins performed

In this code snippet I will demonstrate how to create a connection log for auditing users who connect to your database.

I added some filters to avoid logging in system users (Ex: SA), connections from software that are constantly connecting to the database (Ex: RedGate SQL Prompt and Managment Studio Intellisense).

I also added a feature to try to identify the AD user name that is logging into the database using an SQL user. I don't know a way to do this 100%, so I retrieve the last AD user who logged in on this hostname where the SQL user is.

Finally, I added another filter to avoid writing multiple repeating lines, making sure it was already written within a range of 1h, a connection to the same user, hostname, and SPID.

Implementation:
View source

USE [master]
GO

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgAudit_Login') > 0) DROP TRIGGER [trgAudit_Login] ON ALL SERVER
GO

CREATE TRIGGER [trgAudit_Login] ON ALL SERVER 
FOR LOGON 
AS
BEGIN


    SET NOCOUNT ON
    
    
    -- Não loga conexões de usuários de sistema
    IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM') OR ORIGINAL_LOGIN() LIKE '%SQLServerAgent')
        RETURN
        
        
    -- Não loga conexões de softwares que ficam se conectando constantemente
    IF (PROGRAM_NAME() LIKE 'Red Gate%' OR PROGRAM_NAME() LIKE '%IntelliSense%' OR PROGRAM_NAME() = 'Microsoft SQL Server')
        RETURN


    IF (OBJECT_ID('Auditoria.dbo.Logins') IS NULL)
    BEGIN
    
        -- DROP TABLE Auditoria.dbo.Logins
        CREATE TABLE Auditoria.dbo.Logins (
            Id_Auditoria INT IDENTITY(1,1),
            Dt_Evento DATETIME,
            SPID SMALLINT,
            Ds_Usuario VARCHAR(100) NULL,
            Ds_Usuario_Original VARCHAR(100) NULL,
            Ds_Tipo_Usuario VARCHAR(30) NULL,
            Ds_Ip VARCHAR(30) NULL,
            Ds_Hostname VARCHAR(100) NULL,
            Ds_Software VARCHAR(500) NULL
        )

        CREATE CLUSTERED INDEX SK01 ON Auditoria.dbo.Logins(Id_Auditoria)

    END


    
    DECLARE 
        @Evento XML, 
        @Dt_Evento DATETIME,
        @Ds_Usuario VARCHAR(100),
        @Ds_Usuario_Original VARCHAR(100),
        @Ds_Tipo_Usuario VARCHAR(30),
        @Ds_Ip VARCHAR(30),
        @SPID SMALLINT,
        @Ds_Hostname VARCHAR(100),
        @Ds_Software VARCHAR(100)
        


    SET @Evento = EVENTDATA()

    
    SELECT 
        @Dt_Evento = @Evento.value('(/EVENT_INSTANCE/PostTime/text())[1]','datetime'),
        @Ds_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginName/text())[1]','varchar(100)'),
        @Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)'),
        @Ds_Hostname = HOST_NAME(),
        @Ds_Ip = @Evento.value('(/EVENT_INSTANCE/ClientHost/text())[1]','varchar(100)'),
        @SPID = @Evento.value('(/EVENT_INSTANCE/SPID/text())[1]','smallint'),
        @Ds_Software = PROGRAM_NAME()
         

    -- Identifica o usuário original caso seja um usuário SQL
    IF (LEFT(@Ds_Tipo_Usuario, 7) != 'Windows')
    BEGIN
            
        SELECT @Ds_Usuario_Original = (
            SELECT 
                A.Ds_Usuario
            FROM 
                Auditoria.dbo.Logins A
                JOIN (
                    SELECT Ds_Hostname, MAX(Id_Auditoria) AS Id_MAX
                    FROM Auditoria.dbo.Logins	WITH(NOLOCK)
                    WHERE Ds_Tipo_Usuario LIKE 'Windows%'
                    GROUP BY Ds_Hostname
                ) B ON A.Ds_Hostname = B.Ds_Hostname AND A.Id_Auditoria = B.Id_MAX
        )

    END	


    -- Evita gravar várias vezes um mesmo login
    DECLARE @Dt_Ultima_Data DATETIME
    SELECT @Dt_Ultima_Data = MAX(Dt_Evento)
    FROM Auditoria.dbo.Logins
    WHERE Ds_Usuario = @Ds_Usuario
    AND SPID = @SPID
    

    
    IF (DATEDIFF(SECOND, ISNULL(@Dt_Ultima_Data, '1990-01-01'), @Dt_Evento) > 1)
    BEGIN
    
        INSERT INTO Auditoria.dbo.Logins
        SELECT 
            GETDATE(),
            @SPID,
            @Ds_Usuario,
            @Ds_Usuario_Original,
            @Ds_Tipo_Usuario,
            @Ds_Ip,
            @Ds_Hostname,
            @Ds_Software

    END
            

END
GO

ENABLE TRIGGER [trgAudit_Login] ON ALL SERVER  
GO

USE [Auditoria]
GO

GRANT SELECT, INSERT ON dbo.Logins TO [public]
GO

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

USE [master]

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgAudit_Login') > 0) DROP TRIGGER [trgAudit_Login] ON ALL SERVER

CREATE TRIGGER [trgAudit_Login] ON ALL SERVER

FOR LOGON

BEGIN

SET NOCOUNT ON

-- Não loga conexões de usuários de sistema

IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM') OR ORIGINAL_LOGIN() LIKE '%SQLServerAgent')

RETURN

-- Não loga conexões de softwares que ficam se conectando constantemente

IF (PROGRAM_NAME() LIKE 'Red Gate%' OR PROGRAM_NAME() LIKE '%IntelliSense%' OR PROGRAM_NAME() = 'Microsoft SQL Server')

RETURN

IF (OBJECT_ID('Auditoria.dbo.Logins') IS NULL)

BEGIN

-- DROP TABLE Auditoria.dbo.Logins

CREATE TABLE Auditoria.dbo.Logins (

Id_Auditoria INT IDENTITY(1,1),

Dt_Evento DATETIME,

SPID SMALLINT,

Ds_Usuario VARCHAR(100) NULL,

Ds_Usuario_Original VARCHAR(100) NULL,

Ds_Tipo_Usuario VARCHAR(30) NULL,

Ds_Ip VARCHAR(30) NULL,

Ds_Hostname VARCHAR(100) NULL,

Ds_Software VARCHAR(500) NULL

)

CREATE CLUSTERED INDEX SK01 ON Auditoria.dbo.Logins(Id_Auditoria)

END

DECLARE

@Evento XML,

@Dt_Evento DATETIME,

@Ds_Usuario VARCHAR(100),

@Ds_Usuario_Original VARCHAR(100),

@Ds_Tipo_Usuario VARCHAR(30),

@Ds_Ip VARCHAR(30),

@SPID SMALLINT,

@Ds_Hostname VARCHAR(100),

@Ds_Software VARCHAR(100)

SET @Evento = EVENTDATA()

SELECT

@Dt_Evento = @Evento.value('(/EVENT_INSTANCE/PostTime/text())[1]','datetime'),

@Ds_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginName/text())[1]','varchar(100)'),

@Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)'),

@Ds_Hostname = HOST_NAME(),

@Ds_Ip = @Evento.value('(/EVENT_INSTANCE/ClientHost/text())[1]','varchar(100)'),

@SPID = @Evento.value('(/EVENT_INSTANCE/SPID/text())[1]','smallint'),

@Ds_Software = PROGRAM_NAME()

-- Identifica o usuário original caso seja um usuário SQL

IF (LEFT(@Ds_Tipo_Usuario, 7) != 'Windows')

BEGIN

SELECT @Ds_Usuario_Original = (

SELECT

A.Ds_Usuario

FROM

Auditoria.dbo.Logins A

JOIN (

SELECT Ds_Hostname, MAX(Id_Auditoria) AS Id_MAX

FROM Auditoria.dbo.Logins WITH(NOLOCK)

WHERE Ds_Tipo_Usuario LIKE 'Windows%'

GROUP BY Ds_Hostname

) B ON A.Ds_Hostname = B.Ds_Hostname AND A.Id_Auditoria = B.Id_MAX

)

END

-- Evita gravar várias vezes um mesmo login

DECLARE @Dt_Ultima_Data DATETIME

SELECT @Dt_Ultima_Data = MAX(Dt_Evento)

FROM Auditoria.dbo.Logins

WHERE Ds_Usuario = @Ds_Usuario

AND SPID = @SPID

IF (DATEDIFF(SECOND, ISNULL(@Dt_Ultima_Data, '1990-01-01'), @Dt_Evento) > 1)

BEGIN

INSERT INTO Auditoria.dbo.Logins

SELECT

GETDATE(),

@SPID,

@Ds_Usuario,

@Ds_Usuario_Original,

@Ds_Tipo_Usuario,

@Ds_Ip,

@Ds_Hostname,

@Ds_Software

END

ENABLE TRIGGER [trgAudit_Login] ON ALL SERVER

USE [Auditoria]

GRANT SELECT, INSERT ON dbo.Logins TO [public]

Results:

Remember to review the name of the tables in this trigger very well when implementing in your environment. Otherwise, you will probably create a “buggy” trigger and prevent users from logging into your instance, as shown in the error message below:

Another note in this code is that this trigger writes data to some tables in the database, that is, the user connecting to the database will need permissions to write the data in this table, and the user created in the database of that table. For this reason, I added the grant command to the table for role public.

Another way to get around this is to use the EXECUTE AS clause 'login_com_permissao', so that the trigger will be executed with the permission of that EXECUTE AS user, but will record the data of the real user who is counting, avoiding the need to having to create all users in the database and release the permissions, looking like this:

CREATE TRIGGER [trgAudit_Login] ON ALL SERVER 
WITH EXECUTE AS 'dirceu.resende'
FOR LOGON
[...]

CREATE TRIGGER [trgAudit_Login] ON ALL SERVER

WITH EXECUTE AS 'dirceu.resende'

FOR LOGON

[...]

PS: If you are following this approach, be sure to choose a user with all permissions required by the operations of this trigger (eg role member sysadmin). Otherwise your trigger will present errors and prevent new database connections (read CAOS)

Preventing Login for Certain Users

Now I’m going to demonstrate to you how to limit the access of some specific users to the database. This can also be applied to specific IP's or Hostnames, creating a list of allowed or denied.

Implementation:
View source

USE [master]
GO

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login') > 0) DROP TRIGGER [trgBloquear_Login] ON ALL SERVER
GO

CREATE TRIGGER [trgBloquear_Login] ON ALL SERVER
FOR LOGON 
AS
BEGIN


    -- Não elimina conexões de usuários de sistema
    IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))
        RETURN
    
    
    DECLARE 
        @Evento XML, 
        @Dt_Evento DATETIME,
        @Ds_Usuario VARCHAR(100),
        @Ds_Usuario_Original VARCHAR(100),
        @Ds_Tipo_Usuario VARCHAR(30),
        @Ds_Ip VARCHAR(30),
        @SPID SMALLINT,
        @Ds_Hostname VARCHAR(100),
        @Ds_Software VARCHAR(100)
        


    SET @Evento = EVENTDATA()

    
    SELECT 
        @Dt_Evento = @Evento.value('(/EVENT_INSTANCE/PostTime/text())[1]','datetime'),
        @Ds_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginName/text())[1]','varchar(100)'),
        @Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)'),
        @Ds_Hostname = HOST_NAME(),
        @Ds_Ip = @Evento.value('(/EVENT_INSTANCE/ClientHost/text())[1]','varchar(100)'),
        @SPID = @Evento.value('(/EVENT_INSTANCE/SPID/text())[1]','smallint'),
        @Ds_Software = PROGRAM_NAME()
         
         

    IF (@Ds_Usuario IN ('Usuario_Teste'))
    BEGIN
        PRINT 'Usuário não permitido para logar neste servidor. Favor entrar em contato com a equipe de Banco de Dados'
        ROLLBACK
    END
    
    
    IF (@Ds_Tipo_Usuario = 'SQL Login')
    BEGIN
        PRINT 'Usuários SQL não são permitidos nesse servidor. Favor entrar em contato com a equipe de Banco de Dados'
        ROLLBACK
    END
    
            

END
GO

ENABLE TRIGGER [trgBloquear_Login] ON ALL SERVER  
GO

USE [master]

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login') > 0) DROP TRIGGER [trgBloquear_Login] ON ALL SERVER

CREATE TRIGGER [trgBloquear_Login] ON ALL SERVER

FOR LOGON

BEGIN

-- Não elimina conexões de usuários de sistema

IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))

RETURN

DECLARE

@Evento XML,

@Dt_Evento DATETIME,

@Ds_Usuario VARCHAR(100),

@Ds_Usuario_Original VARCHAR(100),

@Ds_Tipo_Usuario VARCHAR(30),

@Ds_Ip VARCHAR(30),

@SPID SMALLINT,

@Ds_Hostname VARCHAR(100),

@Ds_Software VARCHAR(100)

SET @Evento = EVENTDATA()

SELECT

@Dt_Evento = @Evento.value('(/EVENT_INSTANCE/PostTime/text())[1]','datetime'),

@Ds_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginName/text())[1]','varchar(100)'),

@Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)'),

@Ds_Hostname = HOST_NAME(),

@Ds_Ip = @Evento.value('(/EVENT_INSTANCE/ClientHost/text())[1]','varchar(100)'),

@SPID = @Evento.value('(/EVENT_INSTANCE/SPID/text())[1]','smallint'),

@Ds_Software = PROGRAM_NAME()

IF (@Ds_Usuario IN ('Usuario_Teste'))

BEGIN

PRINT 'Usuário não permitido para logar neste servidor. Favor entrar em contato com a equipe de Banco de Dados'

ROLLBACK

END

IF (@Ds_Tipo_Usuario = 'SQL Login')

BEGIN

PRINT 'Usuários SQL não são permitidos nesse servidor. Favor entrar em contato com a equipe de Banco de Dados'

ROLLBACK

END

ENABLE TRIGGER [trgBloquear_Login] ON ALL SERVER

Results:

Preventing login at a certain time

In this excerpt below, I will demonstrate how to block out-of-business connections.

Implementation:
View source

USE [master]
GO

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login_Horario') > 0) DROP TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER
GO

CREATE TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER
FOR LOGON 
AS
BEGIN


    -- Não elimina conexões de usuários de sistema
    IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))
        RETURN
    
    
    IF (DATEPART(WEEKDAY, GETDATE()) IN (0, 7))
    BEGIN
        PRINT 'Conexões aos fins de semana não são permitidas neste servidor'
        ROLLBACK
        RETURN
    END
    
    
    IF (DATEPART(HOUR, GETDATE()) >= 18 OR DATEPART(HOUR, GETDATE()) < 8)
    BEGIN
        PRINT 'Conexões antes das 8h e depois das 18h não são permitidas neste servidor'
        ROLLBACK
        RETURN
    END
       

END
GO

ENABLE TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER  
GO

USE [master]

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login_Horario') > 0) DROP TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER

CREATE TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER

FOR LOGON

BEGIN

-- Não elimina conexões de usuários de sistema

IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))

RETURN

IF (DATEPART(WEEKDAY, GETDATE()) IN (0, 7))

BEGIN

PRINT 'Conexões aos fins de semana não são permitidas neste servidor'

ROLLBACK

RETURN

END

IF (DATEPART(HOUR, GETDATE()) >= 18 OR DATEPART(HOUR, GETDATE()) < 8)

BEGIN

PRINT 'Conexões antes das 8h e depois das 18h não são permitidas neste servidor'

ROLLBACK

RETURN

END

ENABLE TRIGGER [trgBloquear_Login_Horario] ON ALL SERVER

Results:

Limiting the Number of Maximum User Connections

In the code snippet below, I will demonstrate how to limit the number of concurrent user connections. You can change the code to limit only to certain users, depending on your need.

Notice that in this trigger, I put an exception to not limit the connections of users that are sysadmin, which is the case of DBA's. This can be used in the other triggers as well, if you find it interesting.

Implementation:
View source

USE [master]
GO

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login_Sessoes') > 0) DROP TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER
GO

CREATE TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER
WITH EXECUTE AS SELF
FOR LOGON
AS
BEGIN


    -- Não elimina conexões de usuários de sistema
    IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))
        RETURN
        
        
    -- Verifica se o usuário é sysadmin
    DECLARE @IsSysAdmin int
    EXECUTE AS CALLER
    SET @IsSysAdmin = ISNULL(IS_SRVROLEMEMBER('sysadmin'), 0)
    REVERT
        
        
    IF (@IsSysAdmin = 0)
    BEGIN
        
        IF ((
            SELECT COUNT(*) 
            FROM sys.dm_exec_sessions 
            WHERE is_user_process = 1 
            AND login_name = ORIGINAL_LOGIN()
            AND [program_name] NOT LIKE 'Red Gate%'
            AND [program_name] NOT LIKE '%IntelliSense%'
        ) > 2)
        BEGIN
            PRINT 'Número máximo de conexões atingidas para este usuário neste servidor'
            ROLLBACK
            RETURN
        END
        
    END
       

END
GO

ENABLE TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER  
GO

USE [master]

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgBloquear_Login_Sessoes') > 0) DROP TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER

CREATE TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER

WITH EXECUTE AS SELF

FOR LOGON

BEGIN

-- Não elimina conexões de usuários de sistema

IF (ORIGINAL_LOGIN() IN ('sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM'))

RETURN

-- Verifica se o usuário é sysadmin

DECLARE @IsSysAdmin int

EXECUTE AS CALLER

SET @IsSysAdmin = ISNULL(IS_SRVROLEMEMBER('sysadmin'), 0)

REVERT

IF (@IsSysAdmin = 0)

BEGIN

IF ((

SELECT COUNT(*)

FROM sys.dm_exec_sessions

WHERE is_user_process = 1

AND login_name = ORIGINAL_LOGIN()

AND [program_name] NOT LIKE 'Red Gate%'

AND [program_name] NOT LIKE '%IntelliSense%'

) > 2)

BEGIN

PRINT 'Número máximo de conexões atingidas para este usuário neste servidor'

ROLLBACK

RETURN

END

ENABLE TRIGGER [trgBloquear_Login_Sessoes] ON ALL SERVER

Results:

Preventing Login for SQL Users with SSMS

Now I will demonstrate to you how to prevent users with SQL Server authentication from connecting to the environment using SQL Server Management Studio or SQLCMD. This is very useful in environments where developers and DBA's access the bank using users with Windows authentication and applications use users with SQL Server authentication.

In this scenario, it is very common for developers to use the application user to apply commands in production environments where their user does not have write permissions. This trigger may be a good choice to prevent them from trying to utilize these changes using the application user rather than asking the DBA.

Implementation:
View source

USE [master]
GO

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgEvita_Conexao_SQL') > 0) DROP TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER
GO

CREATE TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER 
WITH EXECUTE AS 'dirceu.resende'
FOR LOGON 
AS
BEGIN


    SET NOCOUNT ON
    
    
    -- Não loga conexões de usuários de sistema
    IF (ORIGINAL_LOGIN() IN ('dirceu.resende', 'sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM') OR ORIGINAL_LOGIN() LIKE '%SQLServerAgent')
        RETURN
        
        
    -- Não loga conexões de softwares que ficam se conectando constantemente
    IF (PROGRAM_NAME() LIKE 'Red Gate%' OR PROGRAM_NAME() LIKE '%IntelliSense%' OR PROGRAM_NAME() = 'Microsoft SQL Server')
        RETURN

    
    DECLARE 
        @Evento XML, 
        @Ds_Tipo_Usuario VARCHAR(30)
        
    SET @Evento = EVENTDATA()
    SET @Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)')


    -- Identifica o usuário original caso seja um usuário SQL
    IF (LEFT(@Ds_Tipo_Usuario, 7) != 'Windows' AND (PROGRAM_NAME() LIKE 'Microsoft SQL Server Management Studio%' OR program_name() LIKE 'sqlcmd%'))
    BEGIN
            
        SELECT 1/0

    END	

    
END
GO

ENABLE TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER  
GO

USE [master]

IF ((SELECT COUNT(*) FROM sys.server_triggers WHERE name = 'trgEvita_Conexao_SQL') > 0) DROP TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER

CREATE TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER

WITH EXECUTE AS 'dirceu.resende'

FOR LOGON

BEGIN

SET NOCOUNT ON

-- Não loga conexões de usuários de sistema

IF (ORIGINAL_LOGIN() IN ('dirceu.resende', 'sa', 'AUTORIDADE NT\SISTEMA', 'NT AUTHORITY\SYSTEM') OR ORIGINAL_LOGIN() LIKE '%SQLServerAgent')

RETURN

-- Não loga conexões de softwares que ficam se conectando constantemente

IF (PROGRAM_NAME() LIKE 'Red Gate%' OR PROGRAM_NAME() LIKE '%IntelliSense%' OR PROGRAM_NAME() = 'Microsoft SQL Server')

RETURN

DECLARE

@Evento XML,

@Ds_Tipo_Usuario VARCHAR(30)

SET @Evento = EVENTDATA()

SET @Ds_Tipo_Usuario = @Evento.value('(/EVENT_INSTANCE/LoginType/text())[1]','varchar(30)')

-- Identifica o usuário original caso seja um usuário SQL

IF (LEFT(@Ds_Tipo_Usuario, 7) != 'Windows' AND (PROGRAM_NAME() LIKE 'Microsoft SQL Server Management Studio%' OR program_name() LIKE 'sqlcmd%'))

BEGIN

SELECT 1/0

END

ENABLE TRIGGER [trgEvita_Conexao_SQL] ON ALL SERVER

That's it folks!
Until the next post!

Sinval Pereira said:

25 February 2021 to 11: 48

Big talk Dirceu!
First of all thanks for your time available to carry out this work of sharing knowledge, sensational!

Before implementing the logon trigger, I usually create a trigger that only monitors who and how they are arriving at the instance, so I can have a broader perception of what happens before the trigger that will block access is actually implemented. !

What occurs to me is that, in some cases, when I implement the monitoring trigger it generates some blocks in some accesses, and this trigger only monitors and stores the logon information in a table!

For what reason does this occur?

Fernando Akira Tajima said:

6 from 2019 from September to 22: 11

Thanks for the post.

- Dirceu Resende said:
  
  18 from 2019 from September to 22: 57
  
  Thanks Akira !! Thank you
  
Gibson eric said:

20 April 2017 13 gies: 17

Thank you friend, I found the perfect solution for what you needed.

Alex Jose Silva said:

15 April 2016 12 gies: 51

Hello there are errors appearing in SQL code

Server: Msg 156, Level 15, State 1, Line 2
Incorrect syntax near the keyword 'ON'.
Server: Msg 156, Level 15, State 1, Procedure trgAudit_Login, Line 2
Incorrect syntax near the keyword 'ALL'.
Server: Msg 195, Level 15, State 1, Procedure trgAudit_Login, Line 10
'ORIGINAL_LOGIN' is not a recognized function name.
Server: Msg 195, Level 15, State 1, Procedure trgAudit_Login, Line 50
'EVENTDATA' is not a recognized function name.
Server: Msg 170, Level 15, State 1, Procedure trgAudit_Login, Line 53
Line 53: Incorrect syntax near '.'.
Server: Msg 156, Level 15, State 1, Line 2
Incorrect syntax near the keyword 'TRIGGER'.

What is the correction?

- Dirceu Resende said:
  
  15 April 2016 16 gies: 25
  
  Alex, thanks for stopping by. CREATE TRIGGER can be used from SQL Server 2008. If your version is older than this, it will not work at all .. 🙁

Other Languages

Subscribe to a blog by email

Blog Views

Power Alerts

Azure Banking Admin Course

SQL Server Security Course

My Certifications

Posts Archive

Categories

Recent Posts

SQL Server - How to implement audit and control of logins (Logon Trigger)

NOTICE

Auditing and logging Logins performed

Preventing Login for Certain Users

Preventing login at a certain time

Limiting the Number of Maximum User Connections

Preventing Login for SQL Users with SSMS

You may also like ...

Comments

Leave a Comment Cancel reply

NOTICE

Auditing and logging Logins performed

Preventing Login for Certain Users

Preventing login at a certain time

Limiting the Number of Maximum User Connections

Preventing Login for SQL Users with SSMS

You may also like ...

Audit on SQL Server (Server Audit)

Checking a user's permissions in SQL Server

SQL Server 2016 - News and Features List

Comments

Leave a Comment Cancel reply