What, when and who? Auditing 101 - Part 2

  • Comments posted to this topic are about the item What, when and who? Auditing 101 - Part 2

    -Roy

  • CDC is fine for tracking DATA but what about WHO changed it? I can't even seem to write a join query to show the changes to the data by who?

    Back to audit triggers then, unless anyone can enlighten me.

    Thanks

  • Who can be done by SQL Audit... I am half way through writing that article. That is the 3rd part of this series.

    -Roy

  • Nice article. One question, you mention that it would be a good idea to have the database in Snapshot Isolation mode, but you don't really give any details as to why? I'd really like to know why I should use snapshot isolation along with CDC.

  • I gave a recommendation that for CDC to use Snapshot isolation due to two reason.

    1. To make sure that there is no blocking caused when trying to get the LSN.

    2. To make sure that you get the right LSN.

    On a busy OLTP server, you are going to have high number of data changes and that means that the Max LSN will be changing at a very rapid rate. You want to make sure that the MAX LSN is the same through out the query you are using to retrieve the changes.

    But it all depends on how you are retrieving the changes. There fore it is just a recommendation. It is not a must. I hope I was able to answer that question.

    -Roy

  • Hey Roy,

    Looking forward to Part #3. I really think 'Who' changed the data or 'What Process' is critical when it comes to logging.

    I wanted to let you know how my company handles auditing 'WHO' in the hopes you may 'speak to it' in your next article.

    We use a table similar to "Product". In the stored procedures that change data in this table we force developers to specify a LogUserID and a LogProcessID. The LogUserID represents the person logged into the system that pressed the 'save button' or 'delete button' on the GUI or it may be a system user. The LogProcessID is used to indicate if the change was triggered by a Web Application, A Nightly 'Product Price Update' Job sql server job, a windows service, a web service etc.

    PRODUCT TABLE SCHEMA

    ----------------------------------

    ProductID

    Description

    Price

    LogUserID

    AppProcessID

    DateTimeModified

    DateTimeInserted

    PRODUCT TABLE SCHEMA IN LOG DATABASE - A trigger inserts into a duplicate table

    ------------------------------------------

    AuditID

    Action

    ProductID

    Description

    Price

    LogUserID

    AppProcessID

    DateTimeModified

    DateTimeInserted

    Anyway - I am really curious about the 'Who' in part #3 and hope you can cover this scenario in your article.

  • Hey Trevor,

    Half of the article is already done. That part covers the "who". I have to do some work on the article to cover writing to Event log. Once that is done, I will submit it for publication.

    Your present idea works when you have a controlled system like that. It just wont store the data if the update or select is done using SSMS. SQL Audit will be able to catch that.

    -Roy

  • Hey Roy,

    You are right. The current method we don't catch SSMS changes. There also isn't a way to "Force" developers to supply a LogUserID. In some cases when we troubleshoot the database will say it was "Roy" that made the change, but really it was a System User because the developer script didn't update the LogUserID column. It gets messy when we delete rows from a table. The first thing we have to do is update the LogUserID for the rows we delete. Then we delete them.

    Looking forward to part 3.

    -Trevor

  • Nicely done Roy.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Nice article Roy. Thanks!

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • Thanks Jason, Thanks Wayne...

    -Roy

  • Thank you for the articles!

    Are you going to cover auditing who reads which data, as well as changes?

  • Yes, that will be the third part of it. SQL Audit. I have completed 50% of that article. I need couple of more weeks to finish it off and then I will be submitting for publishing.

    -Roy

  • Great article, thanks!

    qh

    [font="Tahoma"]Who looks outside, dreams; who looks inside, awakes. – Carl Jung.[/font]
  • Bummer!!!

    Change data capture is only available in the Enterprise, Developer, and Enterprise Evaluation editions.

    But great article nonetheless...

    :crying:

Viewing 15 posts - 1 through 15 (of 22 total)

You must be logged in to reply to this topic. Login to reply