Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Help on Audit Specifications Expand / Collapse
Author
Message
Posted Wednesday, November 27, 2013 3:32 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, November 12, 2014 8:03 AM
Points: 332, Visits: 854
My questions on Audit Specifications are:
Can it be setup to exclude capturing specific logins? Example we have login SA1 setup as sa but is only used for specific tasks. Can Audit specification be setup to not capture any events by SA1?


#2 - I am seeing a lot of View Server State events in our logs, this is captured under the Server_Operation_Group. Is there a way to not capture VIEW_SERVER_STATE but capture the rest of the actions?

thanks
Post #1518219
Posted Friday, November 29, 2013 2:45 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 2:39 PM
Points: 816, Visits: 742
The syntax for CREATE SERVER AUDIT is:

[sql]
CREATE SERVER AUDIT audit_name
{
TO { [ FILE (<file_options> [ , ...n ] ) ] | APPLICATION_LOG | SECURITY_LOG }
[ WITH ( <audit_options> [ , ...n ] ) ]
[ WHERE <predicate_expression> ]
}
[/sql]

Where <predicate_expression> is

[code]
<predicate_factor>::=
event_field_name { = | < > | ! = | > | > = | < | < = } { number | ' string ' }
[/sql]

And for event_field_name, Books Online says:

Is the name of the event field that identifies the predicate source. Audit fields are described in sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and audit_file_offset.

That is, you should be able to filter out sa with

sessoion_server_principal_name <> 'sa2'

I'm not sure what you see when you see VIEW SERVER STATE, but the same may be possible in this cas.


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1518603
Posted Monday, December 2, 2013 11:47 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, November 12, 2014 8:03 AM
Points: 332, Visits: 854
My error - I forgot to mention that this is on SQL 2008 R2 server. BOL does not mention the WHERE <predicate_expression> for 2008 R2. I did get it to work on SQL 2012 server, with help from
http://blogs.msdn.com/b/sqlsecurity/archive/2012/10/03/filter-sql-server-audit-on-action-id-class-type-predicate.aspx

The action_id is varchar(4), but has to be queried using a integer value...


It seem like there isn't a solution for SQL 2008 R2 other than eliminating on reporting side.

Thanks for your help.
Post #1518975
Posted Tuesday, December 3, 2013 1:50 PM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, November 21, 2014 11:24 AM
Points: 153, Visits: 981
right.
Filtering Auditing was added in SQL 2012.


Andreas

---------------------------------------------------
MVP SQL Server
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master Data Platform, SQL Server 2012
www.insidesql.org/blogs/andreaswolter
www.andreas-wolter.com
Post #1519402
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse