Server-level DDL Trigger Error

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2005 » SQL Server 2005 General Discussion » Server-level DDL Trigger Error

16 posts, Page 1 of 2

1 2 »»

Server-level DDL Trigger Error

Rate Topic

Display Mode

Topic Options

Author

Message

Brian Laws

Posted Monday, December 19, 2005 12:50 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, July 06, 2012 2:48 PM
Points: 182, Visits: 104

Greetings!

I've been working on a SQL 2005 project, and have really been excited about the new DDL triggers. I managed to implement some database-level DDL triggers successfully. However, I keep getting an error when I try to create a server-level DDL trigger. For several of the event groups, I keep getting the following error: Msg 1082, Level 15, State 1, Procedure tr_Server_Audit_Security, Line 44 "DROP_SERVER_ROLE_MEMBER" does not support synchronous trigger registration. I can't figure this one out for the life of me.

Here's a sample of the trigger I'm trying to create (BTW, this code works for database triggers, with some slight mods of course):

create trigger tr_Server_Audit_Security on all server
for drop_server_role_member
as
begin
set nocount on

begin try
insert into PrometheusAudit.dbo.Server_Audit
(
EventData
)
values
(
eventdata()
)
end try
begin catch
-- Raise the error to the user and record in the PrometheusErrors.dbo.Errors table
declare @error_message nvarchar(4000), @error_number int, @error_state int, @error_severity int, @error_procedure nvarchar(126), @error_line int
select @error_number = error_number(), @error_state = error_state(), @error_severity = error_severity(), @error_procedure = error_procedure(), @error_line = error_line()

set @error_message = left('Error auditing server security transaction. Error Message: ' + error_message(), 4000)
raiserror(70004, @error_severity, @error_state, @error_message)

exec PrometheusErrors.dbo.usp_WriteError @error_message, @error_number, @error_state, @error_severity, @error_procedure, @error_line
end catch
end

I get the same error if I only have one line in the trigger body. I've only been able to get this to work using the following event groups: ddl_login_events, ddl_gdr_server_events, ddl_authorization_server_events. My goal is to use the single ddl_server_security_events event group.

Does anyone have any clue as to what's going on here? Thanks a ton!

Post #245308

Brian Laws

Posted Monday, December 19, 2005 12:53 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, July 06, 2012 2:48 PM
Points: 182, Visits: 104

Wierd ... it got rid of all my indentation (spaces). Sorry about that.

Post #245310

peterhe

Posted Tuesday, December 20, 2005 8:01 AM

Mr or Mrs. 500

Group: General Forum Members
Last Login: Wednesday, February 20, 2013 10:51 AM
Points: 531, Visits: 416

Are you using rtm? according to bol, DROP_SERVER_ROLE_MEMBER is not a server scope ddl event/event group.

Post #245538

Brian Laws

Posted Tuesday, December 20, 2005 8:11 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, July 06, 2012 2:48 PM
Points: 182, Visits: 104

Yes, I'm using RTM. My BOL indicates that it actually is a server-scope ddl. It's parent is DDL_SERVER_SECURITY_EVENTS. I'm ultimately trying to capture that ddl group, but I've narrowed down the issue to at least this one event. It's not listed in the table under the "Event Groups for Use with DDL Triggers" BOL topic, but it's listed as a child of DDL_SERVER_SECURITY_EVENTS if you look up that topic directly in BOL.

I've found so far that the new BOL leaves some things to be desired... Thanks!

Post #245542

peterhe

Posted Tuesday, December 20, 2005 8:24 AM

Mr or Mrs. 500

Group: General Forum Members
Last Login: Wednesday, February 20, 2013 10:51 AM
Points: 531, Visits: 416

check this: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/a3d3c1a5-6ca0-465b-b1d4-f197dd2b682d.htm in bol

Post #245546

Brian Laws

Posted Tuesday, December 20, 2005 8:51 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, July 06, 2012 2:48 PM
Points: 182, Visits: 104

Right, I see what you mean. However, these are individual DDL statements, not group events. ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/ca518b24-6451-445c-952d-101fccef87fa.htm defines that there are two types of events: one or more particular DDL statements and a predefined group of DDL statements. The link you gave was the definition of the former. But there's still a whole bunch of DDL events which are included under the groups: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/fb2a7bd0-2347-488c-bb75-734098050c7c.htm. You can look up each individually in BOL to see what is included in the groups. Unfortunately, the BOLs are very lacking in this. It only shows the XML definition and what the parent or children are.

It does, though, indicate that only some of the groups are usable in DDL triggers. But it doesn't say which ones. The chart of DDL events explicitly lists DDL_SERVER_SECURITY_EVENTS as a valid group. However, it gives me the same error. So that's when I tried it's children instead of the single group, thus narrowing it down to that one event. So I suspect that text about only some groups working is just boilerplate language for each of the events.

Post #245562

Brian Laws

Posted Friday, March 31, 2006 1:56 PM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, July 06, 2012 2:48 PM
Points: 182, Visits: 104

Well, I never was able to get that trigger to work. However, I found another way to do it: event notifications and the Service Broker. I created a Service Broker service which will respond to the DDL groups. I may write an article on how I put all this together, since it took me a long time to figure out. It's working pretty well, as it is auditing all DDL events (except for the create statistics one, since I don't really care about it) into a table. So far, it looks like I've got the solution.

Thanks for your help!

Post #270299

mobasha

Posted Sunday, April 27, 2008 3:11 AM

Say Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284

hi
am having the same problem, and am wondering have u wrote this article or not??
i need to see ur solution.
thanks

..>>..

MobashA

Post #491114

Carl Federl

Posted Sunday, April 27, 2008 9:00 AM

SSCrazy

Group: General Forum Members
Last Login: Today @ 9:27 AM
Points: 2,224, Visits: 4,085

Under SQL Server 2005, the add_server_role_member and drop_server_role_member may only be used with event notification and cannot be used with DDL Triggers. The reasoning is that since only a login with sysadmin rights can affect server role membership and a sysadmin can always disable the trigger, triggers are not reliable.

However, SQL Server 2008 10.0.1075, does support triggers on the server role membership event.

SQL = Scarcely Qualifies as a Language

Post #491131

mobasha

Posted Sunday, April 27, 2008 1:28 PM

Say Hey Kid

Group: General Forum Members
Last Login: Sunday, January 29, 2012 1:45 AM
Points: 710, Visits: 1,284

its earlly for my company to use 2008, so am stick with 2005.\any way im trying to use the code in the post but am trying to recored AUDIT_ADD_MEMBR_TO_DB_RLOE_EVENT but i cant get the role the user has been add to, i dont know why?

..>>..

MobashA

Post #491146

« Prev Topic | Next Topic »

16 posts, Page 1 of 2

1 2 »»

Permissions