Sql-server – Setting Audit Events in SQL Server 2012

sql serversql-server-2012

We have to do information assurance remediation on our SQL Server 2012 and came across the following finding: Check to see that all required events are being audited. So I ran these queries:

select DISTINCT traceid from ::fn_trace_getinfo('0')

Select DISTINCT(eventid) FROM ::fn_trace_geteventinfo('1')

This returned about 34 different eventids that I assume are being used for audit purposes. Most of the items returned are NOT to be audited and should be replaced with others. However, I have no idea how to remove eventids and how to add new ones. For instance I am missing 14,15,112,113,114,118,128,129 and many others. So my question is how to I remove these audits and add news ones? A way to script it would be best or at least run it as a query.

Best Answer

This sample might help in order to script events. To capture the specific events, you need to create a Server audit specification first - The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor:

USE master;
GO
CREATE SERVER AUDIT ServerAudit
TO FILE (FILEPATH = 'c:\audits\', MAXSIZE = 2 GB)
WITH (ON_FAILURE = CONTINUE);
GO
ALTER SERVER AUDIT ServerAudit
WITH (STATE = ON);

The next step is to create a Database audit specification at the database level. The audit group in this example is is SCHEMA_OBJECT_CHANGE_GROUP

USE [ACMEDB];
GO
CREATE DATABASE AUDIT SPECIFICATION schema_change
FOR SERVER AUDIT ServerAudit
ADD (SCHEMA_OBJECT_CHANGE_GROUP)
WITH (STATE = ON);
GO

Finally, for example, query the previously created audit, by using the LIKE operator to narrow down captured entries to the ones related to enable/disable triggers:

SELECT
   event_time AS [Time],
   server_principal_name AS [User],
   object_name AS [Object name],
   Statement
  FROM sys.fn_get_audit_file('c:\audits\ServerAudit*', NULL, NULL)
WHERE
   database_name
   =
   'ACMEDB'
AND (
   Statement LIKE '%DISABLE%TRIGGER%'
OR Statement LIKE '%ENABLE%TRIGGER%')ORDER BY
                                      [Time] DESC;

Related Solutions

Sql-server – SQL Server 2012 CPU spike due to LinkedServer – how to find the offending query

To answer the question: How to find the offending query:

Since the spikes in the graph you posted last for several minutes you have plenty of time to use the following method:

Download sysinternals process explorer

start process explorer and find the SQL Server process.
right click and select properties
look at the thread tab.
Sort on the CPU column and note the thread id (TID) that is consuming the most CPU.

Use this query and lookup the query that is currently being executed by that thread:

SELECT r.session_id, st.text, qp.query_plan
FROM sys.dm_os_threads AS ot
JOIN sys.dm_os_tasks AS t
ON t.worker_address = ot.worker_address
JOIN sys.dm_exec_requests AS r
ON t.session_id = r.session_id
CROSS APPLY sys.dm_exec_sql_text(r.sql_handle) AS st
CROSS APPLY sys.dm_exec_query_plan(r.plan_handle) AS qp
WHERE os_thread_id = <thread id>

Sql-server – SQL Server 2012 Performance – Reads per second

The question itself is too nebulous. You asked how many Selects per second the database can handle? Well, can handle before what happens? What level of performance is acceptable? Do you need results returned in milliseconds, seconds, minutes? What is acceptable? How many rows are being returned from these Selects? What does the query plan look like?

Ultimately no one here is going to be able to tell you what you want to know. There are too many details you didn't tell us. But you can certainly find out for yourself. It's not at all difficult to stress test your database, to find this out for yourself. If you are a developer, you could easily write a C# program that creates threads that performs these Selects. It would be quite easy to measure performance as you gradually increase the number of threads. If you are not a developer, I have to believe there are stress test apps you can buy, or find open source, that will enable you to measure this. If determining a rough idea of how many users your database can accept is that important, you need to be doing this anyway.

Best Answer

Related Solutions

Sql-server – SQL Server 2012 CPU spike due to LinkedServer – how to find the offending query

Sql-server – SQL Server 2012 Performance – Reads per second

Related Question