December 19, 2005 at 12:50 pm
Greetings!
I've been working on a SQL 2005 project, and have really been excited about the new DDL triggers. I managed to implement some database-level DDL triggers successfully. However, I keep getting an error when I try to create a server-level DDL trigger. For several of the event groups, I keep getting the following error: Msg 1082, Level 15, State 1, Procedure tr_Server_Audit_Security, Line 44 "DROP_SERVER_ROLE_MEMBER" does not support synchronous trigger registration. I can't figure this one out for the life of me.
Here's a sample of the trigger I'm trying to create (BTW, this code works for database triggers, with some slight mods of course):
create trigger tr_Server_Audit_Security on all server
for drop_server_role_member
as
begin
set nocount on
begin try
insert into PrometheusAudit.dbo.Server_Audit
(
EventData
)
values
(
eventdata()
)
end try
begin catch
-- Raise the error to the user and record in the PrometheusErrors.dbo.Errors table
declare @error_message nvarchar(4000), @error_number int, @error_state int, @error_severity int, @error_procedure nvarchar(126), @error_line int
select @error_number = error_number(), @error_state = error_state(), @error_severity = error_severity(), @error_procedure = error_procedure(), @error_line = error_line()
set @error_message = left('Error auditing server security transaction. Error Message: ' + error_message(), 4000)
raiserror(70004, @error_severity, @error_state, @error_message)
exec PrometheusErrors.dbo.usp_WriteError @error_message, @error_number, @error_state, @error_severity, @error_procedure, @error_line
end catch
end
I get the same error if I only have one line in the trigger body. I've only been able to get this to work using the following event groups: ddl_login_events, ddl_gdr_server_events, ddl_authorization_server_events. My goal is to use the single ddl_server_security_events event group.
Does anyone have any clue as to what's going on here? Thanks a ton!
December 19, 2005 at 12:53 pm
Wierd ... it got rid of all my indentation (spaces). Sorry about that.
December 20, 2005 at 8:01 am
Are you using rtm? according to bol, DROP_SERVER_ROLE_MEMBER is not a server scope ddl event/event group.
December 20, 2005 at 8:11 am
Yes, I'm using RTM. My BOL indicates that it actually is a server-scope ddl. It's parent is DDL_SERVER_SECURITY_EVENTS. I'm ultimately trying to capture that ddl group, but I've narrowed down the issue to at least this one event. It's not listed in the table under the "Event Groups for Use with DDL Triggers" BOL topic, but it's listed as a child of DDL_SERVER_SECURITY_EVENTS if you look up that topic directly in BOL.
I've found so far that the new BOL leaves some things to be desired... Thanks!
December 20, 2005 at 8:24 am
check this: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/a3d3c1a5-6ca0-465b-b1d4-f197dd2b682d.htm in bol
December 20, 2005 at 8:51 am
Right, I see what you mean. However, these are individual DDL statements, not group events. ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/ca518b24-6451-445c-952d-101fccef87fa.htm defines that there are two types of events: one or more particular DDL statements and a predefined group of DDL statements. The link you gave was the definition of the former. But there's still a whole bunch of DDL events which are included under the groups: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/fb2a7bd0-2347-488c-bb75-734098050c7c.htm. You can look up each individually in BOL to see what is included in the groups. Unfortunately, the BOLs are very lacking in this. It only shows the XML definition and what the parent or children are.
It does, though, indicate that only some of the groups are usable in DDL triggers. But it doesn't say which ones. The chart of DDL events explicitly lists DDL_SERVER_SECURITY_EVENTS as a valid group. However, it gives me the same error. So that's when I tried it's children instead of the single group, thus narrowing it down to that one event. So I suspect that text about only some groups working is just boilerplate language for each of the events.
March 31, 2006 at 1:56 pm
Well, I never was able to get that trigger to work. However, I found another way to do it: event notifications and the Service Broker. I created a Service Broker service which will respond to the DDL groups. I may write an article on how I put all this together, since it took me a long time to figure out. It's working pretty well, as it is auditing all DDL events (except for the create statistics one, since I don't really care about it) into a table. So far, it looks like I've got the solution.
Thanks for your help!
April 27, 2008 at 3:11 am
hi
am having the same problem, and am wondering have u wrote this article or not??
i need to see ur solution.
thanks
..>>..
MobashA
April 27, 2008 at 9:00 am
Under SQL Server 2005, the add_server_role_member and drop_server_role_member may only be used with event notification and cannot be used with DDL Triggers. The reasoning is that since only a login with sysadmin rights can affect server role membership and a sysadmin can always disable the trigger, triggers are not reliable.
However, SQL Server 2008 10.0.1075, does support triggers on the server role membership event.
SQL = Scarcely Qualifies as a Language
April 27, 2008 at 1:28 pm
its earlly for my company to use 2008, so am stick with 2005.\any way im trying to use the code in the post but am trying to recored AUDIT_ADD_MEMBR_TO_DB_RLOE_EVENT but i cant get the role the user has been add to, i dont know why?
..>>..
MobashA
December 17, 2009 at 11:29 am
Hi Brian,
Just wondering if you ever posted an article to regarding your solution?
Thanks
Ryan
December 17, 2009 at 12:08 pm
No, I never did. I've mentally moved on to other things, so I doubt I'll be doing it.
I found all the scripts and I attached them to this post. It's got everything you need, including install batch files. It's got the database itself, a viewer role, tables, stored procs, views, etc. There's also a test script in there. I commented everything pretty heavily, so you it's almost an article. Hopefully it will all be clear. Let me know if anything is missing and I'll try to get it. I'll try to answer any questions anybody might have about it.
It's a pity that SQL 2008 discontinued Notification Services. So, this solution is only good for SQL 2005. But hopefully it will be useful for people.
December 17, 2009 at 1:41 pm
Brian,
Thanks for the quick response.
I am getting the following error for the two SPs
missing table 'Errors.dbo.usp_WriteError'
Is there anything I have to do to initiate the system?
Thanks
December 17, 2009 at 1:53 pm
No problem at all. Glad to help.
Here's my Errors database, which contains the proc and table. This is my standard, BTW. I don't like doing error logging or the like in the primary database because a rogue process could cause the database or the disk to fill up. This database has a max size, so it won't crash anything if it fills up. You'll notice I also have a standard proc template which includes a call to that errors proc. So far, it's worked really well.
December 21, 2009 at 3:22 pm
Brian
Thanks for all your help. Hopefully, I can test this out next week on a clean system since its not working on my testing environment. Is there any initialization process I need to start things running.
Thanks again.
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply