Sql-server – How to Audit 2 or more SQL Logins (server principals) using SQL Server Audit

auditsql server

I need to audit the few SQL Server Logins, I have used filters while creating Server Audit by using

CREATE SERVER AUDIT [audit123]
TO FILE 
(   FILEPATH = N'D:\'
    ,MAXSIZE = 2048 MB
    ,MAX_ROLLOVER_FILES = 6
    ,RESERVE_DISK_SPACE = OFF
)
WITH
(   QUEUE_DELAY = 5000
    ,ON_FAILURE = CONTINUE
)
WHERE ([server_principal_name]='AAA')

But when I am including more SQL logins using where ([server_principal_name] in ('AAA','BBB','CCC')) it's giving error. I have tried using below but failed to create audit for 2 or more logins.

ALTER SERVER AUDIT audit123 WHERE server_principal_name ='BBB';
ALTER SERVER AUDIT audit123 WHERE server_principal_name ='CCC';

Best Answer

I believe you are using a part of SQL server audit specification in very first step:

Firstly you just need to create a server audit object using SQL Server Audit. Now in this audit section you are using where clause, which also requires a creation of sql server audit specification:
Check the permissions for altering an audit:

a)To create, alter, or drop a server audit, principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission.

b)Users with the ALTER ANY SERVER AUDIT permission can create server audit specifications and bind them to any audit.

Refer to below eg : from MSDN whihc might help you in understanding the audit using principals in where clause:

  CREATE DATABASE TestDB;
  GO
  USE TestDB;
  GO
  CREATE SCHEMA DataSchema;
  GO
  CREATE TABLE DataSchema.GeneralData (ID int PRIMARY KEY, DataField varchar(50) NOT NULL);
  GO
  CREATE TABLE DataSchema.SensitiveData (ID int PRIMARY KEY, DataField varchar(50) NOT NULL);
   GO
    -- Create the server audit in the master database
 USE master;
 GO
  CREATE SERVER AUDIT AuditDataAccess
  TO FILE ( FILEPATH ='C:\SQLAudit\' )
 WHERE object_name = 'SensitiveData' ;
 GO
 ALTER SERVER AUDIT AuditDataAccess WITH (STATE = ON);
  GO
 -- Create the database audit specification in the TestDB database
  USE TestDB;
  GO
CREATE DATABASE AUDIT SPECIFICATION [FilterForSensitiveData]
FOR SERVER AUDIT [AuditDataAccess] 
ADD (SELECT ON SCHEMA::[DataSchema] BY [public])
WITH (STATE = ON);
GO
-- Trigger the audit event by selecting from tables
 SELECT ID, DataField FROM DataSchema.GeneralData;
 SELECT ID, DataField FROM DataSchema.SensitiveData;
 GO
 --- Check the audit for the filtered content
  SELECT * FROM fn_get_audit_file('C:\SQLAudit\AuditDataAccess_*.sqlaudit',default,default);
   GO

Related Solutions

Sql-server – Can’t create Windows Login’s on a case sensitive SQL Server 2005 Instance – MSG 15401

You chose a case sensitive collation when installing SQL Server

You will have "CS" in this result:

 SELECT SERVERPROPERTY('Collation')

You either live with it or rebuild the master database

Sql-server – Timeout expired error while using copy database wizard

A much more efficient path than messing with that wizard would be to:

Take a full backup of your 2000 database.
Restore it to a SQL 2005, 2008 or 2008 R2 instance, all of which support 2000 databases. You can still get the evaluation edition of 2008 R2 here, if you don't have any applicable instances in place. Note that Express won't work as it has a 4GB / 10GB data file limitation depending on version.
Change the compatibility level to something above 80 (90 or 100, depending on whether you used 2005 or 2008/2008 R2) using ALTER DATABASE.
Take a full backup of this database after it is no longer in 80 compatibility mode.
Restore this new backup to your SQL Server 2012 instance.
Change the compatibility level to 110 and update statistics.
TEST.

Best Answer

Related Solutions

Sql-server – Can’t create Windows Login’s on a case sensitive SQL Server 2005 Instance – MSG 15401

Sql-server – Timeout expired error while using copy database wizard

Related Question