Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Failure audits


Failure audits

Author
Message
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
Hello, I have enabled SQL Server Audit to write to the Application event log. Seems to be working fine but it is only logging success. How do I enable failure logging for things like select/insert/update/delete?

Thanks for reading.

Howard
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36048 Visits: 18736
There is no logging for insert/update/deletes. You can enable SQL Trace, but you are potentially asking for a ton of data.

What are you trying to accomplish? Typically there isn't a "failure" of a select/insert/update/delete on a regular basis.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
SQL Server 2008 Audit allows auditing of a number of things including select/insert/update/delete. It is working properly for capturing these events to the Windows Application or event log but it is only capturing Audit Success. I have a requirement to capture audit failures too such as a select of a table that does not exist or where the user does not have access. I think it may be an option in the audit policy but not sure how to set it.

Here is an example entry:

Date      1/9/2012 6:51:27 PM
Log      Audit Collection (Audit-20120109-115026)

Event Time    18:51:27.9823720
Server Instance Name   <name here>
Action ID      SELECT
Class Type      TABLE
Sequence Number   1
Succeeded      True
Permission Bit Mask   0x0000000000000001
Column Permission   True
Session ID      61
Server Principal ID   259
Database Principal ID   1
Target Server Principal ID   0
Target Database Principal ID   0
Object ID      530100929
Session Server Principal Name   <user name>
Server Principal Name   <user name>
Server Principal SID   <id>
Database Principal Name   dbo
Target Server Principal Name   
Target Server Principal SID   NULL
Target Database Principal Name   
Database Name   DBA_Maintenance
Schema Name   dbo
Object Name   test
Statement      select * FROM [DBA_Maintenance].[dbo].[test]
Additional Information   
File Name      D:\dba\Audit-20120109-115026_xxx.sqlaudit
File Offset   6144
User Defined Event ID   0
User Defined Information   

Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36048 Visits: 18736
Sorry, was thinking of something else when I posted, not SQL Server Audit, as in the feature.

In terms of auditing the SELECT/INSERT/UPDATE/DELETE, a database audit specification will do this, but it audits the execution of the statement. A "failure" isn't a failure of the statement. It's another error. If someone executes a SELECT against a non-existent table, that's not a SELECT failure, that could be seen as a syntax error, or an object reference error, but the SELECT hasn't failed. An insert that has a duplicate key value is an FK error, not an insert error.

If I understand it correctly from limited use, you will get all executions of the statement, which is defined per object, and you'd have to sort through them, maybe filtering on some keyword in the logs. I'm not sure you can limit it to just one particular type of execution.

Understanding Audit - http://msdn.microsoft.com/en-us/library/cc280386%28v=SQL.100%29.aspx
Create DB spec - http://msdn.microsoft.com/en-us/library/cc280404%28v=SQL.100%29.aspx

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
PHXHoward
PHXHoward
Old Hand
Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)Old Hand (371 reputation)

Group: General Forum Members
Points: 371 Visits: 1214
Thanks for helping me to understand.

I see now that if I give a user read only permission and they attempt to update a table, it will log a failure. This is very good.

The confusion was when I was expecting a user who runs a bad query such as a select of a table that does not exist that it would record that as well. But technicly as you say, it is a successful select but of non existant data. These type of things are not logged by SQL Server Audit but would help us to detect anyone who was fishing for data.

Thanks again.
Roy Ernest
Roy Ernest
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2494 Visits: 6852
You could always go another route. That is to put a sniffer in front of the SQL Server that logs all incoming traffic. You do not need to log the Output. (It will be way too much data)

-Roy
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search