On my Mssql 2008r2 I created a server audit for all login and logout:
USE MASTER
GO
CREATE SERVER AUDIT audit_test
TO FILE (FILEPATH = 'D:\Audit')
GO
CREATE SERVER AUDIT SPECIFICATION audit_test_spec
FOR SERVER AUDIT [audit_test]
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (LOGOUT_GROUP)
WITH (STATE=ON)
GO
For maximum file space I have set 1024 MB, more than enough.
However, when from the SQL Server Management Studio I go to security/audits/audit_test/view audit logs it only displays exactly the latest 1.000 rows. On the other hand, the file produced by the audit is 317 MB, so I guess it has more than 1.000 rows.
I even tried setting a filter, but it did not help: no line appear outside the latest 1.000.
How do I read the audit log file?
Best Answer
Have you tried reading your audit using sys.fn_get_audit_file?
The CREATE SERVER audit TSQL command you used did not specify
MAXSIZE = { max_size } The default value is UNLIMITED.
MAX_ROLLOVER_FILES ={ integer | UNLIMITED} The default value is UNLIMITED.
MAX_FILES =integer Specifies the maximum number of audit files that can be created. Does not rollover to the first file when the limit is reached. When the MAX_FILES limit is reached, any action that causes additional audit events to be generated will fail with an error.
Not sure what the default is for MAX_FILES but its probably the FS limit which is somewhere around two billion.
So no there should not be any limit on the size of the audit files generated or the number of rows stored within them.