What, When and who? Auditing 101

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    Comments posted to this topic are about the item What, When and who? Auditing 101

    -Roy

  • SQLRNNR

    SSC Guru

    Points: 281205

    Nice job Roy.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • andre.quitta

    SSCommitted

    Points: 1865

    The article was thorough and straighforward.

    I find the problem with ChangeTracking and ChangeDataCapture is that there is so much hardcoding going on. That means whenever you add or delete a column, it is another area that needs to be touched. Plus the queries are pretty unwieldly and verbose.

    There is a need in my group to send out an email when anything changes among multiple tables. That would be a very long query, and pretty unwieldy.

    I have a lot going on with dynamic SQL to do that, but there is a performance hit.

  • Johan Bijnens

    SSC Guru

    Points: 134265

    Great job, Roy.

    It's been my pleasure to help out.:smooooth:

    Johan


    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt ?

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me[/url] :alien: but most of the time this is me :hehe:

  • Ron McCullough

    SSC Guru

    Points: 63877

    Nice article Roy ... now waiting for the follow up article ..

    If everything seems to be going well, you have obviously overlooked something.

    Ron

    Please help us, help you -before posting a question please read[/url]
    Before posting a performance problem please read[/url]

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    Thx everyone. It was fun writing this series. I need to finish the SQL Audit in the coming week so that I can send it to you guys for review before I submit. I have already submitted CDC and I am waiting for it to be reviewed.

    Andre, What I saw in CT is that it is using the old Tran replication technology to get the job done. For instance, if you add a column you have to do so many things to get the CT to track the changes just like replication of SQL 2000.

    -Roy

  • Evil Kraig F

    SSC Guru

    Points: 100851

    Roy, an excellent walkthrough on the mechanics of something I've basically avoided. You highlighted its difficulties and its uses quite well.

    Thanks for the article.


    - Craig Farrell

    Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

    For better assistance in answering your questions[/url] | Forum Netiquette
    For index/tuning help, follow these directions.[/url] |Tally Tables[/url]

    Twitter: @AnyWayDBA

  • Andre Guerreiro

    SSCertifiable

    Points: 7319

    Excelent article, Roy.

    I'm thinking that one of the ideal business solutions to use CT is for database synchronization from mobile devices or off-site databases.

    To help CT become more "auditable", maybe we could use the syntax:

    WITH CHANGE_TRACKING_CONTEXT(@context)

    --<INSERT or UPDATE command here>

    and send some information about the username or changes inside the @context VARBINARY(128) column. Is there a limitation for using the CT context and would it also become a major pain to maintain like described in the article?

    Change Tracking comes with all SQL Server editions so it's a great little feature to have at our disposal. 🙂

    Best regards,

    Best regards,

    Andre Guerreiro Neto

    Database Analyst
    http://www.softplan.com.br
    MCITPx1/MCTSx2/MCSE/MCSA

  • David In BC

    SSC-Addicted

    Points: 466

    I am not sure I agree with,

    "Data auditing is the process of doing a profile check and assessing the quality of data, to find how accurate it is. This can be achieved by keeping track of all the data changes."

    A couple of points:

    - you can't always know that data is correct. If the data is based on mathematical formula, and you have the inputs, you can. But you can't tell that my mobile telephone number is correct, or my date of birth. At least not without external validation. Quality is abstract.

    - auditing goes beyond changing data. Tracking the viewing of data, or the printing of data, is very important. Examples can include celebrities who are hospitalized - you want to know if 300 hospital workers are viewing the patients chart (and shouldn't be).

    I like this definition better: "[a] systematic examination of information use, resources and flows, with a verification by reference to both people and existing documents, in order to establish the extent to which they are contributing to an organisation’s objectives"

    But interesting article.

    David

  • Andre Guerreiro

    SSCertifiable

    Points: 7319

    Just one small correction: ALLOW_SNAPSHOT_ISOLATION is not needed for Change Tracking but it's the probably the safer way to use it with.

    Best regards,

    Best regards,

    Andre Guerreiro Neto

    Database Analyst
    http://www.softplan.com.br
    MCITPx1/MCTSx2/MCSE/MCSA

  • tymberwyld

    SSCertifiable

    Points: 7810

    When SQL 2005 came out, I cringed at the way SQL Notification services worked and basically threw it out the window as an option for change tracking. However, I re-tooled the same concept using SQL Service Broker, and using a simple, generic Trigger, was able to audit ANY table's changes (real-time, with both previous and new values) asynchronously and we were able to audit all databases into one or many audit databases if we wished. Views were created against the meta-data to make "pseudo" tables which resembled the originals, so comparisons could be made. Anyway, it's worked for years and was completely scalable. If we wanted to move the auditing database(s) to another server, it was as easy as "changing the channel" on the service broker, no messy Trigger or Proc changes.

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    codebyo (11/28/2011)


    Just one small correction: ALLOW_SNAPSHOT_ISOLATION is not needed for Change Tracking but it's the probably the safer way to use it with.

    Best regards,

    Andre, what you stated here is true. You do NOT need SNAPSHOT ISOLATION on but if you do not, you will need to do some extra work to make sure that all requirements are met. You can read here to get more details regarding how it should be done without snapshot isolation.

    EDIT : Regarding CHANGE_TRACKING_CONTEXT, it will work fine if all data changes are done only using applications. Then you have control of it and you get more context of the data change. It is a good info to pass to everyone. Thanks. I missed that in the article.

    -Roy

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    Thanks David for the compliment.

    To agree to the definition of an Audit is difficult. Everyone has their own take on it. Your definition is easier to understand as well. Thanks for sharing it. 🙂

    -Roy

  • Roy Ernest

    SSC-Dedicated

    Points: 38707

    Evil Kraig F (11/28/2011)


    Roy, an excellent walkthrough on the mechanics of something I've basically avoided. You highlighted its difficulties and its uses quite well.

    Thanks for the article.

    Thanks Craig. When I look back, I realized that I could have added a bit more in depth information.

    -Roy

  • Zero One

    SSC Veteran

    Points: 287

    Good article, thanks for the summary.

    The biggest issues I've encountered, save for a server side trace, is catching the originating hostname for the incoming connection. To me this is a critical aspect of "who" and without it, it can be difficult in tracking down an individual in the situation where a common SQL login is utilized by multiple individuals (or even a service account implemented on several servers). In this, SQL Server Audit is woefully lacking. Sure we *wish* we could always avoid folks using a SQL login but life is rarely perfect especially when you've inherited someone else's mess to straighten out. To me this is the whole point of auditing is catching non-standard activity but without capturing *correct* hostname you can't easily complete the picture of *who* (all hostname captured information in SQL Audit is the actual host SQL server or blank and not the host of the originating connection).

    This of course is Microsoft's issue to resolve, not the author's.

Viewing 15 posts - 1 through 15 (of 27 total)

You must be logged in to reply to this topic. Login to reply