Post reply

The audit file has not been deleted.

  • February 12, 2024 at 9:47 pm

    #4377555

    Hello

    I recently set up an audit on my server to track some connections.

    ,The audit works correctly without any problems.

    The only problem is that I get an error message like SQL Server can no longer delete

    This is how my audit configuration looks.he old audit file.

    Sans titre2Sans titre

    Would anyone of you have an idea on how to handle this error?

    FYI the file is deleted after a few minutes

    Thanks

     

    Attachments:
    You must be logged in to view attached files.

  • February 13, 2024 at 9:17 am

    #4377815

    CreateFile error 32 is something held a handle on the file and SQL couldn't delete it.

    So something was reading/writing/touching the old audit file in some way.

    Best thing you can do is get a copy of procmon and handle from the sysinternals tool, run this while a file rollover happens (your just going to have to keep it running and find the next occurrence of the error 32), then see what process is using the file preventing SQL from accessing it.

    While your waiting for that ensure all the right exclusions have been put into your AntiVirus/Malware/Security Software, as these will be the general ones which will be preventing deletion.

    Additionally look at the output of "fltmc" in a admin command prompt and tie the altitude numbers to this list

    https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes

    Anything that isn't a Microsoft filter driver see what it is and if it has exclusions available to it to stop it scanning drives/files etc

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply