InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comTue, 21 May 2013 08:26:31 GMT20http://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxYou could always go another route. That is to put a sniffer in front of the SQL Server that logs all incoming traffic. You do not need to log the Output. (It will be way too much data)Thu, 12 Jan 2012 10:47:55 GMTRoy Ernesthttp://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxThanks for helping me to understand. I see now that if I give a user read only permission and they attempt to update a table, it will log a failure. This is very good.The confusion was when I was expecting a user who runs a bad query such as a select of a table that does not exist that it would record that as well. But technicly as you say, it is a successful select but of non existant data. These type of things are not logged by SQL Server Audit but would help us to detect anyone who was fishing for data.Thanks again.Wed, 11 Jan 2012 12:36:26 GMTPHXHowardhttp://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxSorry, was thinking of something else when I posted, not SQL Server Audit, as in the feature.In terms of auditing the SELECT/INSERT/UPDATE/DELETE, a database audit specification will do this, but it audits the execution of the statement. A "failure" isn't a failure of the statement. It's another error. If someone executes a SELECT against a non-existent table, that's not a SELECT failure, that could be seen as a syntax error, or an object reference error, but the SELECT hasn't failed. An insert that has a duplicate key value is an FK error, not an insert error.If I understand it correctly from limited use, you will get all executions of the statement, which is defined per object, and you'd have to sort through them, maybe filtering on some keyword in the logs. I'm not sure you can limit it to just one particular type of execution.Understanding Audit - [url]http://msdn.microsoft.com/en-us/library/cc280386%28v=SQL.100%29.aspx[/url]Create DB spec - [url]http://msdn.microsoft.com/en-us/library/cc280404%28v=SQL.100%29.aspx[/url]Mon, 09 Jan 2012 12:29:24 GMTSteve Jones - SSC Editorhttp://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxSQL Server 2008 Audit allows auditing of a number of things including select/insert/update/delete. It is working properly for capturing these events to the Windows Application or event log but it is only capturing Audit Success. I have a requirement to capture audit failures too such as a select of a table that does not exist or where the user does not have access. I think it may be an option in the audit policy but not sure how to set it.Here is an example entry:Date 1/9/2012 6:51:27 PMLog Audit Collection (Audit-20120109-115026)Event Time 18:51:27.9823720Server Instance Name <name here>Action ID SELECTClass Type TABLESequence Number 1Succeeded TruePermission Bit Mask 0x0000000000000001Column Permission TrueSession ID 61Server Principal ID 259Database Principal ID 1Target Server Principal ID 0Target Database Principal ID 0Object ID 530100929Session Server Principal Name <user name>Server Principal Name <user name>Server Principal SID <id>Database Principal Name dboTarget Server Principal Name Target Server Principal SID NULLTarget Database Principal Name Database Name DBA_MaintenanceSchema Name dboObject Name testStatement select * FROM [DBA_Maintenance].[dbo].[test]Additional Information File Name D:\dba\Audit-20120109-115026_xxx.sqlauditFile Offset 6144User Defined Event ID 0User Defined Information MessageMon, 09 Jan 2012 11:58:02 GMTPHXHowardhttp://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxThere is no logging for insert/update/deletes. You can enable SQL Trace, but you are potentially asking for a ton of data. What are you trying to accomplish? Typically there isn't a "failure" of a select/insert/update/delete on a regular basis.Mon, 09 Jan 2012 11:43:39 GMTSteve Jones - SSC Editorhttp://www.sqlservercentral.com/Forums/Topic1232685-1526-1.aspxHello, I have enabled SQL Server Audit to write to the Application event log. Seems to be working fine but it is only logging success. How do I enable failure logging for things like select/insert/update/delete?Thanks for reading.HowardMon, 09 Jan 2012 11:17:18 GMTPHXHoward