Dropping/Altering Server Audits
Audits can be modified or dropped by using the below code:
ALTER
SERVER AUDIT [Audit-20080831-140855]
WITH
(STATE
= OFF);
GO
DROP
SERVER AUDIT [Audit-20080831-140855]
GO
You can alter the server audits after creating them.
However, before altering them you should disable them. Otherwise, an error will
be returned. Same can be said with dropping.
Auditing Specifications
Now we have created the audit location, we need to create
the auditing specifications. There are two types of auditing specifications.
1. Server Audit Specification
2. Database Auditing Specification
Server Audit Specification
You can create only one Server Audit Specification for one
audit.
Server audit will focus on the server level events such as
logon/logoff operations, database backup/restore, database maintenance
operations, server objects changes, permission changes etc.
There are several frequently used Server Audit Specifications
groups which are listed in following table.
Action group name |
Description |
SUCCESSFUL_LOGIN_GROUP |
Indicates that a principal has |
LOGOUT_GROUP |
Indicates that a principal has logged |
FAILED_LOGIN_GROUP |
Indicates that a principal tried to |
LOGIN_CHANGE_PASSWORD_GROUP |
This event is raised whenever a |
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP |
This event is raised whenever a |
SERVER_ROLE_MEMBER_CHANGE_GROUP |
This event is raised whenever a login |
DATABASE_ROLE_MEMBER_CHANGE_GROUP |
This event is raised whenever a login |
BACKUP_RESTORE_GROUP |
This event is raised whenever a backup |
DBCC_GROUP |
This event is raised whenever a |
SERVER_OPERATION_GROUP |
This event is raised when Security |
DATABASE_OPERATION_GROUP |
This event is raised when operations |
DATABASE_CHANGE_GROUP |
This event is raised when a database |
DATABASE_PRINCIPAL_CHANGE_GROUP |
This event is raised when principals, |
SERVER_PERMISSION_CHANGE_GROUP |
This event is raised when a GRANT, |
SERVER_OBJECT_PERMISSION_CHANGE_GROUP |
This event is raised whenever a GRANT, |
DATABASE_PERMISSION_CHANGE_GROUP |
This event is raised whenever a GRANT, |
As with creating Audits, we can create Server Audit
Specifications from either SSMS or T-SQL.
In SSMS, there is new node called Sever Audit
Specifications, where you have to right click and create the new Server Audit
Specifications.
You will get the following screen after selecting new Server
Audit Specifications.
In this, select audit specification name and the audit name.
After that you have to define Audit groups. In the above
example I have added five groups which are frequently monitored in my working
environment.
The Server Audit Specification must then be Enabled. Altering
and dropping audit specifications is done in a similar manner to Audits.
Audit specifications can also be created from T-SQL , as in
the below script sample:
USE
[master]
GO
IF EXISTS (SELECT *
FROM sys.server_audit_specifications
WHERE name =
N’ServerAuditSpecification-20091126-130056′)
DROP
SERVER AUDIT SPECIFICATION
[ServerAuditSpecification-20091126-130056]
GO
USE
[master]
GO
CREATE
SERVER AUDIT SPECIFICATION
[ServerAuditSpecification-20091126-130056]
FOR
SERVER AUDIT [Audit-20091125-113200]
ADD
(BACKUP_RESTORE_GROUP),
ADD
(FAILED_LOGIN_GROUP)
WITH
(STATE
= OFF)
Viewing Audit Results
Right click the relevant Server Audit and select View Audit Logs , the
below screen should be visible.
As this is the normal SQL Server editor, you can use the exporting,
searching and filtering functions. If your audit file is using a file instead
of Security log or application log, the data will be much clearer.