How to Configure SQL Server Auditing
Jul 11, 2018
With the GDPR requirements rattling quite a few trees in the industry, there’s been a renewed interest in SQL Server’s auditing capabilities that were once a very neglected feature. This article steps you through setting up both a server level audit, as well as a table auditing on specific events such as selects, updates and delete operations which can help your business’ towards becoming more compliant with these new data protection standards.
Now if you’re planning on logging to the security or application logs, you may want to increase the max size of your log files to make sure you’re not just capturing a rolling 1 hour of auditing data.
ENABLE SERVER AUDITING
The below code provides two options for auditing to the application log, or do a data file. This can be updated via the GUI also after-the-fact, but will require the auditing to be momentarily stopped and restarted again while making that change.
USE [master] GO CREATE SERVER AUDIT [SQL_Server_Audit] TO APPLICATION_LOG WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ) GO -- OR -- CREATE SERVER AUDIT [SQL_Server_Audit] TO FILE ( FILEPATH = 'B:\SQLAudit' ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ) GO Alter Server Audit [SQL_Server_Audit] with(State=ON) GO
Next up we’ll need to define a server audit specification. These are the server-level auditing components that we’re going to want to capture as part of this audit. A sample specification is as follows, noting that you’ll want to change this to suit your business requirements;
CREATE SERVER AUDIT SPECIFICATION [Server_Audit_Specification]
FOR SERVER AUDIT [SQL_Server_Audit]
ADD ( AUDIT_CHANGE_GROUP )
,ADD ( BACKUP_RESTORE_GROUP )
,ADD ( DATABASE_CHANGE_GROUP )
,ADD ( DATABASE_OWNERSHIP_CHANGE_GROUP )
,ADD ( BROKER_LOGIN_GROUP)
,ADD ( DBCC_GROUP )
,ADD ( LOGIN_CHANGE_PASSWORD_GROUP )
,ADD ( APPLICATION_ROLE_CHANGE_PASSWORD_GROUP )
,ADD ( SERVER_PRINCIPAL_CHANGE_GROUP )
,ADD ( DATABASE_PRINCIPAL_CHANGE_GROUP )
,ADD ( DATABASE_PRINCIPAL_IMPERSONATION_GROUP )
,ADD ( DATABASE_PERMISSION_CHANGE_GROUP )
,ADD ( DATABASE_ROLE_MEMBER_CHANGE_GROUP )
,ADD ( FAILED_LOGIN_GROUP )
,ADD ( SUCCESSFUL_LOGIN_GROUP )
WITH ( STATE = ON);
Go
At time of this blog post, the following are all the available options for server-level auditing;
SERVER LEVEL AUDITING
| Action group name | Description |
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP | This event is raised whenever a password is changed for an application role. Equivalent to the Audit App Role Change Password Event Class. |
| AUDIT_CHANGE_GROUP | This event is raised whenever any audit is created, modified or deleted. This event is raised whenever any audit specification is created, modified, or deleted. Any change to an audit is audited in that audit. Equivalent to the Audit Change Audit Event Class. |
| BACKUP_RESTORE_GROUP | This event is raised whenever a backup or restore command is issued. Equivalent to the Audit Backup and Restore Event Class. |
| BROKER_LOGIN_GROUP | This event is raised to report audit messages related to Service Broker transport security. Equivalent to the Audit Broker Login Event Class. |
| DATABASE_CHANGE_GROUP | This event is raised when a database is created, altered, or dropped. This event is raised whenever any database is created, altered or dropped. Equivalent to the Audit Database Management Event Class. |
| DATABASE_LOGOUT_GROUP | This event is raised when a contained database user logs out of a database. Equivalent to the Audit Database Logout Event Class. |
| DATABASE_MIRRORING_LOGIN_GROUP | This event is raised to report audit messages related to database mirroring transport security. Equivalent to the Audit Database Mirroring Login Event Class. |
| DATABASE_OBJECT_ACCESS_GROUP | This event is raised whenever database objects such as message type, assembly, contract are accessed. This event is raised for any access to any database. Note: This could potentially lead to large audit records.
Equivalent to the Audit Database Object Access Event Class. |
| DATABASE_OBJECT_CHANGE_GROUP | This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. This event is raised whenever any database object is created, altered or dropped. Note: This could lead to very large quantities of audit records.
Equivalent to the Audit Database Object Management Event Class. |
| DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP | This event is raised when a change of owner for objects within database scope. This event is raised for any object ownership change in any database on the server. Equivalent to the Audit Database Object Take Ownership Event Class. |
| DATABASE_OBJECT_PERMISSION_CHANGE_GROUP | This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. This event is raised for any object permission change for any database on the server. Equivalent to the Audit Database Object GDR Event Class. |
| DATABASE_OPERATION_GROUP | This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. This event is raised on any database operation on any database. Equivalent to the Audit Database Operation Event Class. |
| DATABASE_OWNERSHIP_CHANGE_GROUP | This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. This event is raised for any database ownership change on any database on the server. Equivalent to the Audit Change Database Owner Event Class. |
| DATABASE_PERMISSION_CHANGE_GROUP | This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any principal in SQL Server (This applies to database-only events, such as granting permissions on a database).
This event is raised for any database permission change (GDR) for any database in the server. Equivalent to the Audit Database Scope GDR Event Class. |
| DATABASE_PRINCIPAL_CHANGE_GROUP | This event is raised when principals, such as users, are created, altered, or dropped from a database. Equivalent to the Audit Database Principal Management Event Class. (Also equivalent to the Audit Add DB Principal Event Class, which occurs on the deprecated sp_grantdbaccess, sp_revokedbaccess, sp_addPrincipal, and sp_dropPrincipal stored procedures.)
This event is raised whenever a database role is added to or removed by using the sp_addrole, sp_droprole stored procedures. This event is raised whenever any database principals are created, altered, or dropped from any database. Equivalent to the Audit Add Role Event Class. |
| DATABASE_PRINCIPAL_IMPERSONATION_GROUP | This event is raised when there is an impersonation operation in the database scope such as EXECUTE AS <principal> or SETPRINCIPAL. This event is raised for impersonations done in any database. Equivalent to the Audit Database Principal Impersonation Event Class. |
| DATABASE_ROLE_MEMBER_CHANGE_GROUP | This event is raised whenever a login is added to or removed from a database role. This event class is raised for the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures. This event is raised on any Database role member change in any database. Equivalent to the Audit Add Member to DB Role Event Class. |
| DBCC_GROUP | This event is raised whenever a principal issues any DBCC command. Equivalent to the Audit DBCC Event Class. |
| FAILED_DATABASE_AUTHENTICATION_GROUP | Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class. |
| FAILED_LOGIN_GROUP | Indicates that a principal tried to log on to SQL Server and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class. |
| FULLTEXT_GROUP | Indicates fulltext event occurred. Equivalent to the Audit Fulltext Event Class. |
| LOGIN_CHANGE_PASSWORD_GROUP | This event is raised whenever a login password is changed by way of ALTER LOGIN statement or sp_password stored procedure. Equivalent to the Audit Login Change Password Event Class. |
| LOGOUT_GROUP | Indicates that a principal has logged out of SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Logout Event Class. |
| SCHEMA_OBJECT_ACCESS_GROUP | This event is raised whenever an object permission has been used in the schema. Equivalent to the Audit Schema Object Access Event Class. |
| SCHEMA_OBJECT_CHANGE_GROUP | This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. Equivalent to the Audit Schema Object Management Event Class.
This event is raised on schema objects. Equivalent to the Audit Object Derived Permission Event Class. This event is raised whenever any schema of any database changes. Equivalent to the Audit Statement Permission Event Class. |
| SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP | This event is raised when the permissions to change the owner of schema object (such as a table, procedure, or function) is checked. This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. This event is raised for any schema ownership change for any database on the server. Equivalent to the Audit Schema Object Take Ownership Event Class. |
| SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP | This event is raised whenever a grant, deny, revoke is performed against a schema object. Equivalent to the Audit Schema Object GDR Event Class. |
| SERVER_OBJECT_CHANGE_GROUP | This event is raised for CREATE, ALTER, or DROP operations on server objects. Equivalent to the Audit Server Object Management Event Class. |
| SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP | This event is raised when the owner is changed for objects in server scope. Equivalent to the Audit Server Object Take Ownership Event Class. |
| SERVER_OBJECT_PERMISSION_CHANGE_GROUP | This event is raised whenever a GRANT, REVOKE, or DENY is issued for a server object permission by any principal in SQL Server. Equivalent to the Audit Server Object GDR Event Class. |
| SERVER_OPERATION_GROUP | This event is raised when Security Audit operations such as altering settings, resources, external access, or authorization are used. Equivalent to the Audit Server Operation Event Class. |
| SERVER_PERMISSION_CHANGE_GROUP | This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope, such as creating a login. Equivalent to the Audit Server Scope GDR Event Class. |
| SERVER_PRINCIPAL_CHANGE_GROUP | This event is raised when server principals are created, altered, or dropped. Equivalent to the Audit Server Principal Management Event Class.
This event is raised when a principal issues the sp_defaultdb or sp_defaultlanguage stored procedures or ALTER LOGIN statements. Equivalent to the Audit Addlogin Event Class. This event is raised on the sp_addlogin and sp_droplogin stored procedures. Also equivalent to the Audit Login Change Property Event Class. This event is raised for the sp_grantlogin or sp_revokelogin stored procedures. Equivalent to the Audit Login GDR Event Class. |
| SERVER_PRINCIPAL_IMPERSONATION_GROUP | This event is raised when there is an impersonation within server scope, such as EXECUTE AS <login>. Equivalent to the Audit Server Principal Impersonation Event Class. |
| SERVER_ROLE_MEMBER_CHANGE_GROUP | This event is raised whenever a login is added or removed from a fixed server role. This event is raised for the sp_addsrvrolemember and sp_dropsrvrolemember stored procedures. Equivalent to the Audit Add Login to Server Role Event Class. |
| SERVER_STATE_CHANGE_GROUP | This event is raised when the SQL Server service state is modified. Equivalent to the Audit Server Starts and Stops Event Class. |
| SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP | Indicates that a principal successfully logged in to a contained database. Equivalent to the Audit Successful Database Authentication Event Class. |
| SUCCESSFUL_LOGIN_GROUP | Indicates that a principal has successfully logged in to SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Event Class. |
| TRACE_CHANGE_GROUP | This event is raised for all statements that check for the ALTER TRACE permission. Equivalent to the Audit Server Alter Trace Event Class. |
| TRANSACTION_GROUP | This event is raised for BEGIN TRANSACTION, ROLLBACK TRANSACTION, and COMMIT TRANSACTION operations, both for explicit calls to those statements and implicit transaction operations. This event is also raised for UNDO operations for individual statements caused by the rollback of a transaction. |
| USER_CHANGE_PASSWORD_GROUP | This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement. |
| USER_DEFINED_AUDIT_GROUP | This group monitors events raised by using sp_audit_write (Transact-SQL). Typically triggers or stored procedures include calls to sp_audit_write to enable auditing of important events. |
ENABLE DATABASE AUDITING
Database auditing requires that a server audit (although not necessarily server audit specification) to be in place. The DB auditing however is created within the user database that is to be audited, rather than within the master database where the server audit gets created. Database audit specifications can be found within the DB itself under Security –> Database Audit Specifications.
To create a database audit, you’ll need to first USE the DB (to select it), then the following provides an example syntax for auditing SELECT, UPDATE and DELETE operations for specific tables within that database;
USE UserDatabase
GO
CREATE DATABASE AUDIT SPECIFICATION [User_Database_Audit_Specification]
FOR SERVER AUDIT [SQL_Server_Audit]
ADD (SELECT , UPDATE , DELETE ON UserDatabase.dbo.Customer_DeliveryAddress BY dbo )
,ADD (SELECT , UPDATE , DELETE ON UserDatabase.dbo.DimCustomer_Email BY dbo )
,ADD (SELECT , UPDATE , DELETE ON UserDatabase.dbo.DimCustomer_Phone BY dbo )
WITH (STATE = ON) ;
GO
The SELECT, UPDATE and DELETE operations aren’t the only things you can add to the audit specification though…
| Action | Description |
| SELECT | This event is raised whenever a SELECT is issued. |
| UPDATE | This event is raised whenever an UPDATE is issued. |
| INSERT | This event is raised whenever an INSERT is issued. |
| DELETE | This event is raised whenever a DELETE is issued. |
| EXECUTE | This event is raised whenever an EXECUTE is issued. |
| RECEIVE | This event is raised whenever a RECEIVE is issued. |
| REFERENCES | This event is raised whenever a REFERENCES permission is checked. |
For a full list of database level auditing options (at time of this blog post), see below;
DATABASE LEVEL AUDITING
| Action group name | Description |
| APPLICATION_ROLE_CHANGE_PASSWORD_GROUP | This event is raised whenever a password is changed for an application role. Equivalent to the Audit App Role Change Password Event Class. |
| AUDIT_CHANGE_GROUP | This event is raised whenever any audit is created, modified or deleted. This event is raised whenever any audit specification is created, modified, or deleted. Any change to an audit is audited in that audit. Equivalent to the Audit Change Audit Event Class. |
| BACKUP_RESTORE_GROUP | This event is raised whenever a backup or restore command is issued. Equivalent to the Audit Backup and Restore Event Class. |
| DATABASE_CHANGE_GROUP | This event is raised when a database is created, altered, or dropped. Equivalent to the Audit Database Management Event Class. |
| DATABASE_LOGOUT_GROUP | This event is raised when a contained database user logs out of a database. Equivalent to the Audit Backup and Restore Event Class. |
| DATABASE_OBJECT_ACCESS_GROUP | This event is raised whenever database objects such as certificates and asymmetric keys are accessed. Equivalent to the Audit Database Object Access Event Class. |
| DATABASE_OBJECT_CHANGE_GROUP | This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. Equivalent to the Audit Database Object Management Event Class. |
| DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP | This event is raised when a change of owner for objects within database scope occurs. Equivalent to the Audit Database Object Take Ownership Event Class. |
| DATABASE_OBJECT_PERMISSION_CHANGE_GROUP | This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. Equivalent to the Audit Database Object GDR Event Class. |
| DATABASE_OPERATION_GROUP | This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. Equivalent to the Audit Database Operation Event Class. |
| DATABASE_OWNERSHIP_CHANGE_GROUP | This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. Equivalent to the Audit Change Database Owner Event Class. |
| DATABASE_PERMISSION_CHANGE_GROUP | This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any user in SQL Server for database-only events such as granting permissions on a database. Equivalent to the Audit Database Scope GDR Event Class. |
| DATABASE_PRINCIPAL_CHANGE_GROUP | This event is raised when principals, such as users, are created, altered, or dropped from a database. Equivalent to the Audit Database Principal Management Event Class. Also equivalent to the Audit Add DB User Event Class, which occurs on deprecated sp_grantdbaccess, sp_revokedbaccess, sp_adduser, and sp_dropuser stored procedures.
This event is raised whenever a database role is added to or removed using deprecated sp_addrole and sp_droprole stored procedures. Equivalent to the Audit Add Role Event Class. |
| DATABASE_PRINCIPAL_IMPERSONATION_GROUP | This event is raised when there is an impersonation within database scope such as EXECUTE AS <user>. Equivalent to the Audit Database Principal Impersonation Event Class. |
| DATABASE_ROLE_MEMBER_CHANGE_GROUP | This event is raised whenever a login is added to or removed from a database role. This event class is used with the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures.Equivalent to the Audit Add Member to DB Role Event Class |
| DBCC_GROUP | This event is raised whenever a principal issues any DBCC command. Equivalent to the Audit DBCC Event Class. |
| FAILED_DATABASE_AUTHENTICATION_GROUP | Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. This event is raised. |
| SCHEMA_OBJECT_ACCESS_GROUP | This event is raised whenever an object permission has been used in the schema. Equivalent to the Audit Schema Object Access Event Class. |
| SCHEMA_OBJECT_CHANGE_GROUP | This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. Equivalent to the Audit Schema Object Management Event Class.
This event is raised on schema objects. Equivalent to the Audit Object Derived Permission Event Class. Also equivalent to the Audit Statement Permission Event Class. |
| SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP | This event is raised when the permissions to change the owner of schema object such as a table, procedure, or function is checked. This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. Equivalent to the Audit Schema Object Take Ownership Event Class. |
| SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP | This event is raised whenever a grant, deny, or revoke is issued for a schema object. Equivalent to the Audit Schema Object GDR Event Class. |
| SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP | Indicates that a principal successfully logged in to a contained database. Equivalent to the Audit Successful Database Authentication Event Class. |
| USER_CHANGE_PASSWORD_GROUP | This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement. |
| USER_DEFINED_AUDIT_GROUP | This group monitors events raised by using sp_audit_write (Transact-SQL). |
SHARE THIS POST:
