Getting Database-Level Audit Logs Without Database Audit Specification

auditsql serversql server 2014

I have server level auditing on SQL Server 2014.
Why am I receiving database-level audit events (such as SELECT, INSERT, UPDATE, DELETE, etc.), even though there are no database audit specifications?

I see these, for example running the following command:

SELECT *
FROM fn_get_audit_file('\Audit\*', DEFAULT, DEFAULT)
WHERE [action_id] = 'SL'

But I have not specified database auditing. The following commands come back with no results:

SELECT * FROM sys.database_audit_specifications
SELECT * FROM sys.database_audit_specification_details

It's on Microsoft SQL Server 2014 Standard (SP1-GDR) – 12.0.4237.0

Best Answer

You probably defined the SCHEMA_OBJECT_ACCESS_GROUP for the server audit.

You can capture database level events at the server level, like above. This will then be applied for all databases. Above captures all SELECT etc on all tables and views on the entire instance.

This explains why you see SELECT events without having a database audit specification.

Related Solutions

Sql-server – Why is script with “ xp_cmdshell ” in comment failing with a transport level error

There is a connect item discussing (well discussing...) exactly this issue, so it appears to be a bug.

Text 'xp_cmdshell' causes transport-level error: semaphore timeout period has expired from remote system

It appears that the string causes problems, not only in comments but also anywhere it's used as an exact string so even

SELECT 'xp_cmdshell'

results in the same error according to the bug report.

So it appears that the exact string xp_cmdshell is indeed the problem, unfortunately the connect item is closed as "not reproducible".
That being said, I can't reproduce it (on a local connection) on my SQL 2014 (12.0.2000.8, Windows NT 6.3 (Build 9600: )) test system either, so the operating system is probably relevant. Executing the query from a local management studio vs over the network might also be relevant as noted in the connect item.

So you could either work around it by changing the exact text (as you did) or try to reopen the connect item or file a bug report through Microsoft Support.

Sql-server – SQL Server Audit not tracking changes at the database level

I think the main problem here - and please don't take offense - is that you're pointing and clicking in a GUI but not really sure what you're pointing and clicking at.

Here is an example that creates a server-level audit, then adds a database-level audit specification to track multiple operations on any object in the dbo schema.

USE master;
GO

-- create aserver audit
CREATE SERVER AUDIT Test_Server_Audit 
  TO FILE ( FILEPATH = 'C:\temp\' ); -- you may need to change that'
GO

-- turn it on
ALTER SERVER AUDIT Test_Server_Audit WITH (STATE = ON);
GO

-- create a demo database    
CREATE DATABASE floob;
GO
USE floob;
GO
CREATE TABLE dbo.blat(x INT);
GO

-- create a database audit specification that monitors for activity
-- against any dbo object:
CREATE DATABASE AUDIT SPECIFICATION Test_Database_Audit
    FOR SERVER AUDIT Test_Server_Audit
    ADD (SELECT, UPDATE, DELETE, INSERT, EXECUTE ON SCHEMA::dbo BY PUBLIC)
    WITH (STATE = ON);
GO

-- do a couple of things:
SELECT * FROM dbo.blat;
DELETE dbo.blat;
GO

-- you should see those couple of things in the audit file:
SELECT * FROM sys.fn_get_audit_file('C:\temp\*.sqlaudit', NULL, NULL);
GO

Now, clean up:

ALTER DATABASE AUDIT SPECIFICATION Test_Database_Audit
    WITH (STATE = OFF);
GO
DROP DATABASE AUDIT SPECIFICATION Test_Database_Audit;
GO
USE master;
GO
ALTER DATABASE floob SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
GO
DROP DATABASE floob;
GO

ALTER SERVER AUDIT Test_Server_Audit
    WITH (STATE = OFF);
GO
DROP SERVER AUDIT Test_Server_Audit;
GO

I'd start at perhaps a higher conceptual level before pressing a bunch of buttons and hoping that they work.

Best Answer

Related Solutions

Sql-server – Why is script with “ xp_cmdshell ” in comment failing with a transport level error

Sql-server – SQL Server Audit not tracking changes at the database level

Related Question