April 4, 2008 at 8:48 am
geno wald (4/3/2008)
This appears to be pretty much what I would want, except that I would like to be able to capture the machine name associated with the user who is making the connection. When I view the Activity Monitor in SSMS under the Management node, I can see the client computer name identified as "Host", but it is not clear how I can access that value from the trigger.The reason this would be helpful is that there might be several people who share access to an account. Using the client computer name to distinguish where the login came from would help identify the person making those ddl changes.
Within the database and/or server trigger you may create another variable to capture the hostname and any other information you would like from the sys.sysprocesses table.
e.g.
DELCARE @hostnm VARCHAR(50)
SELECT @hostnm = hostname
FROM sys.sysprocesses
WHERE loginame = suser_sname()
and cmd <> 'awaiting command'
You would then alter the tables hosting the information to add a column for host name. Finally, you may also want to capture the "net_address" column within the sys.sysprocesses table to get the MAC address of the network card as well as the hostname.
May 5, 2008 at 6:50 pm
I have a user (developer) that tried to alter a view in a db. He does not have rights to the db ("Admin") I write the 2 tables to. He DOES have rights to do what he was doing.
Granting him even write rights to the 2 audit tables seems counter intuitive; I thought the db and server triggers should execute in another security context... maybe this is my incorrect assumption. I don't want to turn on cross db ownership chaining-- that would expose me to a different set of risks when I am trying to ratchet those down.
His Error:
Msg 916, Level 14, State 1, Procedure trgMonitorChange, Line 33
The server principal "the users domain name" is not able to access the database "Admin" under the current security context
Any thoughts/recommendations?
May 6, 2008 at 7:53 am
Hi all,
Nice article.
I'm working in a similar trigger but I'm recording information in a table in a Linked server for consolidation issues, because I have several instances and several server and I need to collect all information in only a database, but when I try to the insert command, I only get a set of errors. I've checked previously the trigger in the local server and runs ok, but the fails appear when I try to execute from a remote server.
My insert command:
INSERT INTO [SRSQL1001\MANAGEMENT].[DBA_AUDIT].[dbo].[ENV_SRV_INS_DB_CHG]
([ENV_SRV_INS_DB_CHG_Server]
,[ENV_SRV_INS_DB_CHG_Name]
,[ENV_SRV_INS_DB_CHG_EventType]
,[ENV_SRV_INS_DB_CHG_PostTime]
,[ENV_SRV_INS_DB_CHG_Login]
,[ENV_SRV_INS_DB_CHG_TSQLCommand]
,[ENV_SRV_INS_DB_CHG_Completed])
values(@ServerName,@DBName,@EventType,@PostTime,@login,@TSQLCommand,@comp)
errors set
Msg 3984, Level 16, State 1, Line 1
Cannot acquire a database lock during a transaction change.
Msg 3985, Level 16, State 2, Line 1
An error occurred during the changing of transaction context. This is usually caused by low memory in the system. Try to free up more memory.
Msg 3984, Level 16, State 1, Line 1
Cannot acquire a database lock during a transaction change.
Msg 3985, Level 16, State 1, Line 1
An error occurred during the changing of transaction context. This is usually caused by low memory in the system. Try to free up more memory.
I have checked if I delete insert command database is created without errors.
Thanks in advance for your help
F.Racionero
Francisco Racionero
twitter: @fracionero
May 6, 2008 at 8:05 am
mstjean (5/5/2008)
I have a user (developer) that tried to alter a view in a db. He does not have rights to the db ("Admin") I write the 2 tables to. He DOES have rights to do what he was doing.Granting him even write rights to the 2 audit tables seems counter intuitive; I thought the db and server triggers should execute in another security context... maybe this is my incorrect assumption. I don't want to turn on cross db ownership chaining-- that would expose me to a different set of risks when I am trying to ratchet those down.
His Error:
Msg 916, Level 14, State 1, Procedure trgMonitorChange, Line 33
The server principal "the users domain name" is not able to access the database "Admin" under the current security context
Any thoughts/recommendations?
Perhaps I should have put something in my article regarding my intention for these triggers as I originally put them on production servers that had limited access. The database and server triggers will run in the security context of the individual account that is triggered by the DDL change. Therefore when the trigger goes off and wants to write the data to a separate database, that user requires write permission to the destination table.
In your case you have the following options:
1. Change the database trigger to point to an auditing table within the local database instead of a separate database and give that local auditing table write permissions to the developer.
2. Give the developer write permissions on the table that is in the auditing database. This may not be effective if you have more than one account making changes to your database.
June 27, 2008 at 11:22 am
Remember, though, that these database triggers will not catch changes from using sp_rename.
October 14, 2008 at 7:00 am
I love this article:
http://www.sqlservercentral.com/articles/Auditing/64176/
However, I would like to know how do you audit sp_rename?
Or to most DBAs this isn't important.
July 7, 2010 at 12:47 am
Look here for a full solution: http://www.sqlservercentral.com/Forums/Topic948331-149-1.aspx
December 6, 2010 at 6:18 am
I am looking for this page
http://www.sqlservercentral.com/Forums/Topic948331-149-1.aspx
What happened to it?
December 6, 2010 at 6:59 am
You can see an alternative "article" I wrote for this at:
http://www.sqlservercentral.com/Forums/Topic947481-391-1.aspx
September 26, 2011 at 4:54 pm
How are you guys handling when the server trigger kicks off when a user is in the dbcreator role but doesn't have access to insert into the table that houses all the ddl trigger events? Thks!
September 28, 2011 at 3:39 am
create trigger ServerAuditTrigger
on all server
-- Audit server level and database level into dbadata.dbo.ServerAudit
-- The database level is also audited into <database>.dbo.DatabaseAudit
with execute as ''server_audit''for ddl_events
October 18, 2012 at 10:35 am
@fracionero (5/6/2008)
My insert command:INSERT INTO [SRSQL1001\MANAGEMENT].[DBA_AUDIT].[dbo].[ENV_SRV_INS_DB_CHG]
([ENV_SRV_INS_DB_CHG_Server]
,[ENV_SRV_INS_DB_CHG_Name]
,[ENV_SRV_INS_DB_CHG_EventType]
,[ENV_SRV_INS_DB_CHG_PostTime]
,[ENV_SRV_INS_DB_CHG_Login]
,[ENV_SRV_INS_DB_CHG_TSQLCommand]
,[ENV_SRV_INS_DB_CHG_Completed])
values(@ServerName,@DBName,@EventType,@PostTime,@login,@TSQLCommand,@comp)
errors set
Msg 3984, Level 16, State 1, Line 1
Cannot acquire a database lock during a transaction change.
Msg 3985, Level 16, State 2, Line 1
An error occurred during the changing of transaction context. This is usually caused by low memory in the system. Try to free up more memory.
Msg 3984, Level 16, State 1, Line 1
Cannot acquire a database lock during a transaction change.
Msg 3985, Level 16, State 1, Line 1
An error occurred during the changing of transaction context. This is usually caused by low memory in the system. Try to free up more memory.
I have checked if I delete insert command database is created without errors.
Thanks in advance for your help
F.Racionero
Has anyone figured out a solution to this? My trigger record is being inserted into the other server, but I sill get these error messages.
Thanks!
JMB
Viewing 12 posts - 16 through 26 (of 26 total)
You must be logged in to reply to this topic. Login to reply