SQL Swampland

Today we continue our series on Auditing with some clarifications.  An audit is essentially the combination of several elements.  This concept took a day or two to wrap around my brain so I thought I would discuss our way through it.

1. The Audit Object is collected on either the server or database level.  This covers actions as well as groups of actions.
2. The Audit Specification is an object that belongs to an audit.  This is a one-to-one relationship between audit object and audit specification.  Both items are created at the instance level.  The audit specification can collect many server-level or database-level action groups which are raised through extended events. You can have many groups within a specification.  In addition, the audit specification is either a database or server specification and it cannot be both.
3. The Audit Action Group is a predefined group of actions within the database engine itself.  (See the MSDN list of Action Groups and Actions)
4. The Target is essentially where the audit results are sent to, which we have already discussed as a file, the Application Log or the Security Log.

I hope this clarifies some points before we move forward.  Enjoy and stay tuned.

Figure 1 – New Audit

Continuing our learning series on Auditing, today we move on to setting up the server audit which will allow us to be able to setup auditing at the instance level.

1. In SSMS, open the Security node and right-click on Audits and choose New Audit as shown in Figure 1.
2. This will present us with a default Create Audit dialog box as shown in Figure 2.  Enter a name for your Audit being as descriptive as possible to make it easy for you to look back later and now what this is auditing.
3. The Queue delay default is 1000 milliseconds.  This is the delay before the audit actions will be processed.
4. There is a check box if you would like to shut down the server when the audit log fails.  In SQL Server 2012 you have the option to Continue, Shut down the server, or Fail the operation.  Figure 2 is from a SQL Server 2008 server.
5. As you can see in Figure 2, the default setting for the destination is the file and if this is the setting you choose then you must enter a file path in addition to the other settings shown.  If you choose Security Log or Application Log then all of the file options will be unavailable.
6. After this process is complete, you will see the audit named under Audits in the Security node.  From there you need to right-click on it and select Enable Audit.

Figure 2 – Create Audit Defaults

As with anything in the GUI SSMS, this too can be scripted as an example:

CREATE SERVER AUDIT [Test-Audit] TO SECURITY_LOG WITH (QUEUE_DELAY = 1000)

Enjoy and stay tuned.

Since I am out of the office today I though I would include this fun video from Microsoft to continue with our Auditing theme that we started earlier in the week.  Enjoy!

SQL Server News Hour: SQL Server Audit in SQL Server 2008 R2 – YouTube.

Continuing our series on Auditing from yesterday, I wanted to bring up a few additional points if you are planning on using the Windows Security log as the target for your auditing results.

1. You must add the SQL Server service (the account that you are actually using to run SQL Server, go to the SQL Server Configuration manager and check out the Log On As column) to the Generate security audits policy.  Go to your Local Security Policy then under Security Settings select Local Policies the User Rights Assignment.  There you will find the policy so that you may add the account similar to what is shown Figure 1.
2. Keep in mind if you are running in a clustered environment you need to do this on each node so that in a failover scenario the auditing continues to work as designed.
3. Also in the Local Security Policy, you need to go to Local Policies then Audit Policy and select to audit success and failure for the Audit Object Access policy.

In addition, if you plan on using a file as a target instead of the windows logs you must keep the following in mind:

1. The SQL Server service account must have the ability to read and write to the file.
2. If you have a user account that is a member of the Audit Administrator role, they must also have the ability to read and write to the file.
3. Finally, if you have users with the Audit Reader role, then they must have the ability to read the file.

Figure 1 – Generate Security Audits Policy

Enjoy and stay tuned as we continue this series!

Over the next few weeks I will be presenting here for your learning SQL Server Auditing, as I learn it.  I have never been called upon to use the auditing features in any production SQL Server environments strangely enough.  I have known about the capabilities but never really been in a position to advocate for or against them.

Let us start our journey with some limitations.  Auditing uses SQL Server resources, albeit less than trace-based auditing.  This may or may not be a big deal depending upon how busy the server is.  Another limitation is the fact that auditing in limited at the instance level.  There is no easy way to manage auditing on multiple servers from a central location.  There is also no built-in reporting for auditing and the data is stored in a file or OS event logs.  You can however, load that data into a database and create your own reports.

Enjoy!