My company needed a solution to watch activity and logging on SQL Server Databases and Oracle databases. Many of the items needed in Oracle were already there with a job and couple triggers along with the built in Auditing. It passes SOX scrutiny, but now SQL had to show the same. (btw: the budget for this was axed, we gave management a 165K purchased solution : current budget, my time as DBA, full salary...so it does not matter how many hours)
Anyway. I came up with a multi-part solution that has satisfied the auditors for now. Any person with real IT experience will see wholes big enought to drive a mack truck through it, but like I said, it was to suffice the auditors.
First I used created my own audit trace. I narrowed down the events to what we wanted to track and the information we wanted to store. If the sql server stops/starts it automatically starts again. The records are processsed twice a day from the flat files into a database table. From there I wrote procedures/views to process the data I need to report on. I crossed the view with a rules table to kick out records that need to be shown on the report. I then set up SSRS (sql server reporting services) 2005 to generate the report. Each morning the report is generated along with the rules, so auditors can compare the rules (ever changing) with the report. I send a copy to the server and email the affected parties, directing them to look at the report. If your name shows up, you have to initial the report, put in a comment. The report is printed by IS security, and people on the report have to initial with pen.
Lots of holes, some good infor came from it, and it got SOX auditors off our back. Until next quarter at least.