Sql-server – Auditing sysadmin logons with Extended Events

sql server

The goal is to audit sysadmin logons as efficiently and safely as possible without auditing logons of other users, so as not to be logging excessive data.

I have found the information on auditing sysadmin logons by using a logon trigger, and in general that would accommodate our needs. However it does have the drawback of being synchronous, which means that users can't log on if the trigger fails for some reason, and it will slow down their logon a tiny bit.

With the logon trigger, I can use IF IS_SRVROLEMEMBER ('sysadmin') = 1 to dynamically determine if the user is a sysadmin, but something like this does not appear to be possible with audit objects. It appears that audit filters have to be a simple server_principal_name = 'domain\username' (i.e., you can't use any SELECTs or functions to determine if the user is a sysadmin).

So the only thing left that might even be possible, as far as I've found, is using Extended Events, so I wanted to ask the community if this is something I should bother looking into. The event would probably have to capture all logons (again, as the filters can't run code), and then we'd have to have something that consumes the event to filter and log the relevant activity.

Best Answer

This may work for you, but by no means do I consider it elegant (or even good for that matter).

First, configure the server to log all successful and failed logins.

USE [master]
EXEC xp_instance_regwrite N'HKEY_LOCAL_MACHINE', N'Software\Microsoft\MSSQLServer\MSSQLServer', N'AuditLevel', REG_DWORD, 3

Now, to audit those logins that are in the SYSADMIN fixed server role, you can run through the following process:

    ProcessInfo VARCHAR(20) NULL,

exec xp_readerrorlog 0, 1, N'Login succeeded', NULL, NULL, NULL, N'DESC'

    SELECT IS_SRVROLEMEMBER('sysadmin', SUBSTRING([Text], CHARINDEX(CHAR(39), [Text]) + 1, CHARINDEX(CHAR(39), [Text], CHARINDEX(CHAR(39), [Text]) + 1) - CHARINDEX(CHAR(39), [Text]) - 1)) AS isSysAdmin
    , SUBSTRING([Text], CHARINDEX(CHAR(39), [Text]) + 1, CHARINDEX(CHAR(39), [Text], CHARINDEX(CHAR(39), [Text]) + 1) - CHARINDEX(CHAR(39), [Text]) - 1) AS loginName
    , *
    FROM #ErrorLog
) InstanceLogins
WHERE isSysAdmin = 1


What this does is pull all successful logins from the current error log, identify the login name, and pass it into the IS_SRVROLEMEMBER function you were already tying into with your Login Trigger approach.

This will potentially balloon your ERRORLOG, but it won't block/slow logins like a failing trigger may cause. It will also provide login times and if you have some SQL Auditing in place, you may be able to correlate these with activity, etc. At any rate, I think this will give you what you're looking for. Final note: you don't have to audit the failed logins, but I find that information more useful than not.