Embed Size (px)
Citation preview
AUDITING
The SQL Server Audit feature:
Auditing an instance of SQL Server or a SQL Server database involves tracking and logging events that occur on the system. You can use several methods of auditing for SQL Server, as described in Auditing (Database Engine). Beginning in SQL Server 2008 Enterprise, you can also set up automatic auditing by using SQL Server Audit.
The feature audits events on two levels – the server- level and database – level. Each audit level is configured independently, which provides flexibility and fine-grained auditing
The overhead of the feature is lighter than of auditing using SQL traces, but the overall impact depends on how busy the database is and how many events you want to audit
“An audit is the combination of several elements into a single package for a specific group of server actions or database actions. The components of SQL Server audit combine to produce an output that is called an audit” [1]
The audit information can be saved in a binary file, Windows event log, or SQL Server event log. The output file is also called a target. As the events pile up, the target files can grow large, so it’s recommended to regularly review and archive them. To prevent audit information leak, make sure that access to these files is granted only to privileged users
Configuration:
1.Server-level:
The first step is to create a new audit by right-clicking on the Audit folder inside of the Security folder found in SSMS.
1. Go to securityaudit
You need to input a file path in order to proceed. You can also set parameters for the file size and reserve disk space for the files. However, you cannot reserve disk space if your file size is set to unlimited.
After you click OK, you will have created a server audit. At this point you have created an audit for the instance, but have not specified what to audit.
2. ENABLE AUDIT
SELECT AUDIT->RIGHT CLICK->ENABLE
3.You will do that in the next step, first by right-clicking on the ‘Server Audit Specifications' as follows:
Note that here we are creating an audit for the server, or instance level.
4. ENABLE SERVER AUDIT SPECIFICATION
SELECT AUDIT-> SERVER AUDIT SPECIFICATION ->
RIGHT CLICK ON SERVER AUDIT SPECIFICATION ->ENABLE
Database-level:
In order to create a database audit you would navigate in SSMS to the database you want to audit and expand the security folder as follows:
Go to Database->security->Database Audit Specification
You can right-click on the Database Audit Specifications folder to create a new database audit. Each type of audit specification has a distinct set of options to select from. For this example we will continue with a database specification:
ENABLE UR DATABASE AUDIT SPECIFICATION
SELECT DATABASE->SECURITY->DATABASE AUDIT SPECIFICATION->
SELECT DATABASE AUDIT SPECIFICATION R.C ENABLE
Select the server audit by clicking in the dropdown window. Then select an audit action type. In the example above I have selected a handful of action types and associated object classes, object names, and principal names. Click OK and the audit specification is created.
At this point we have created a server audit and a database audit that is associated with the server audit. Neither of these audits are enabled. You can enable them by right-clicking on each and selecting 'enable'.
Once enabled, SQL Server Audit is now collecting information. You can review the details by right-clicking on the server audit and selecting 'View Audit Logs'.
And the viewer should resemble the following:
