Getting Started with SQL Server auditing: SQL Server Auditing (SQL Server Audit)

Original: SQL Server audit features Getting Started: SQL Server audit (SQL Server Audit)

Introduction

Audit is a feature after SQL Server 2008 that tells you "who did what when?" Specifically, auditing an instance of the SQL Server database engine or a separate database involves tracking and documenting events that occur in the database engine. Its bottom-level is based on extended events (Extented event), so its performance and flexibility are relatively good. Audit data can be exported to audit files, Windows security logs, and application logs.

Audit all need to create an instance-level SQL Server audit, and then you can create a "server audit specification" and a "database audit specification" that belong to it. You can understand that SQL Server auditing is the top-level container for auditing, and these two specifications are the specific content that defines what to audit.

General procedures for creating and using auditing:

1. Create an audit and define the target.

2. Create a server audit specification or database Audit specification that is mapped to an audit, and enable the audit specification.

3. Enable auditing.

4. Read the audit events by using the Windows Event Viewer, log File Viewer, or the Fn_get_audit_file function.

Implement

To create a test database and data:

 UseMasterGoCreate DatabaseaudittestGo UseaudittestGoCreate TableTB (IDint Primary Key, namevarchar( -), Weightdecimal(Ten,2));Insert  intoTbValues(1,'John',70.2),(2,'Ted',80.8),(3,'Clark',75.1)Go

1. Create audits and define goals.

Creating an audit can be accomplished using SSMS or a statement. The goal is to audit where the output is stored, similar to the target of the extended event.

The corresponding statement is created:

--Create Server Audit Use [Master]GOCREATESERVER AUDIT[audit-audittest] to FILE(FILEPATH=N'D:\share', MAXSIZE=  -MB, Max_files= Ten, Reserve_disk_space=  on) with(Queue_delay=  +, On_failure= CONTINUE --Audit_guid=uniqueidentifier)--WHERE object_name= ' TB 'GO--Enable Server AuditAlterServer audit[audit-audittest]  with(state= on)

Briefly explain the relevant parameters:

To file: Specifies the output to the audit file, or it can be specified as security log and application log.
FILEPATH: The directory address of the audit file.

MaxSize: The maximum capacity of a single audit file.
MAXSIZE: Similar to trace, specifies that rollover allows the maximum number of files.
Reserve_disk_space: Pre-allocating audit files to maxsize. Personal referrals are enabled.
Queue_delay: Specifies the millisecond interval at which an event occurs to a forced audit. A synchronization audit is specified as 0.
On_failure: The next behavior to take when auditing an up-file write data failure: CONTINUE | SHUTDOWN | Fail_operation.
Audit_guid: for database Mirroring. Similar to the SID role of login, the main library of the mirroring session if there is an audit, the same GUID is required to create the corresponding audit in the Mirror library.

WHERE: equivalent to predicate in an extended event to specify a filter condition.

2. Create a database audit specification and enable it

Specifies from which SQL Server to audit and define what to audit. It can be created through SSM or statements. The following is an audit specification for test table TB: Anyone who has DML and table structure modifications to the TB table is audited.

The corresponding statement:

--Create and enable Database Audit specification Use [audittest]GOCREATE DATABASEAUDIT specification[databaseauditspecification-audittest] forSERVER AUDIT[audit-audittest]ADD(Schema_object_change_group),ADD(SELECT,DELETE,INSERT,UPDATE  onOBJECT::[dbo].[TB]  by [ Public]) with(state= on)GO

With SSMs, the meaning of the parameter is clear. For more detailed information: CREATE DATABASE AUDIT Specification

Audit activity type (Audit action type) reference: SQL Server Audit Action Group and actions

3. Enable auditing

SQL Server is not enabled by default when it creates audit and audit specifications and needs to be explicitly enabled. In the first two steps, I have explicitly enabled.

4. test and view audit data

 UseaudittestGoSelect *  fromDBO.TBwhereId=1;UpdateDBO.TBSetName='ted_new'whereId=2;Alter TableDbo.tbAlter columnNamevarchar( -);Alter TableDbo.tbAddNewcolvarchar( -);Go

In the previous target definition file, an audit file is generated, file name: [SQL Server audit name]_[Audit Guid]_*.sqlaudit.

This file can also be played with other text editors, but it is inconvenient to read. It is usually read using the system function Sys.fn_get_audit_file.

SELECT event_time,    action_id    , succeeded    , session_id    , session_server_principal_name      object_name    , statement    file_name    , Audit_file_offsetfrom sys.fn_get_audit_file ('d:\share\*',default,default )

From the results you can get: who did what at what time . The SELECT and ALTER statements have only one record. Update has two records, a select and an update. Passing the value of Audit_file_offset to Fn_get_audit_file as the third parameter value can be achieved by reading the audit file from the specified offset. Note: The event_time output is UTC time.

Of course, you can also view directly:

5. Try the server audit specification

Audit Create and delete logins, and log audit content to the application log.

 Use [Master]GOCREATESERVER AUDIT[audit-audittest] toApplication_log with(Queue_delay=  +, On_failure= CONTINUE)GOAlterSERVER AUDIT[audit-audittest]  with(state= on)GoCreateServer Audit Specification Sas_createdroplogin forServer Audit[audit-audittest]ADD(Server_principal_change_group) with(state= on)GoCreateLogin XX withPassword='[email protected]';DropLogin xx;

From the Event Viewer in Windows, you can view the 33205 event. Personally feel that when viewing data detail events, use XML format to better understand some.

Summary

1. SQL Server audits are relatively less performance-affected and have a very flexible audit granularity.
2. The review is for "events" and answers "who did what when", but the tracking of the changes in the data itself is weak.
3. The outcome of the audit, whether it's an audit file or an application log, requires additional processing and analysis to get what you want.

Getting Started with SQL Server auditing: SQL Server Auditing (SQL Server Audit)