SQL Server Connections – How to Keep Track of All Connections and Disconnections

sql serversql-server-2008sql-server-2008-r2

I have a Microsoft SQL Server 2008r2 SP1.

I need to know which users connect to, and disconnect from, database.

Ideally, I would like a list of (datetime, username, connect/disconnect).

Can this be done using extended events? Or is there a better way?

Best Answer

Here is a rundown of some of the options I have used to audit logins and logouts. I haven't had the chance to use Extended Events for auditing purposes yet. Below, I quickly describe tracking login and logout events using SQL Server tracing and SQL Server Audits. You'll probably end up going with setting up background server tracing which is described briefly below. If you need me to go into further detail, don't hesitate to ask.

Default Trace

The default trace is one way to audit activity on your server without making any changes. A post on what you can get out of the default trace is provided here.

Server Trace

If you are just looking for Login/Logout information, you can also create your own server trace to audit logins and logouts using SQL Server profiler. Just create a new trace and then export it as a SQL Server Trace definition file.

Open up SQL Server Profiler
Create a new trace using the blank template
Go to the Events selection tab
Under Security Audit, check Audit Login and Audit Logout

Run your trace, stop it and then under File, you can Export your trace as a SQL Server trace definition file. You can then run that trace in the background and save it to a file which can later be imported into a SQL Server table.

A portion of an example server Trace created by profiler:

-- Create a Queue
declare @rc int
declare @TraceID int
declare @maxfilesize bigint
set @maxfilesize = 5 

exec @rc = sp_trace_create @TraceID output, 0, N'InsertFileNameHere', @maxfilesize, NULL 
if (@rc != 0) goto error

-- Client side File and Table cannot be scripted

-- Set the events
declare @on bit
set @on = 1
exec sp_trace_setevent @TraceID, 14, 1, @on
exec sp_trace_setevent @TraceID, 14, 9, @on
exec sp_trace_setevent @TraceID, 14, 2, @on
exec sp_trace_setevent @TraceID, 14, 66, @on
exec sp_trace_setevent @TraceID, 14, 10, @on
.....
-- Set the Filters
declare @intfilter int
declare @bigintfilter bigint

-- Set the trace status to start
exec sp_trace_setstatus @TraceID, 1

-- display trace id for future references
select TraceID=@TraceID
goto finish

Here is the output I got from just capturing those items:

enter image description here

It is possible to convert server traces into extended event sessions and that is described in detail here.

Server Audits

There are also server audits which allows you to track and monitor Database/Server level events. Auditing may only be available in the Enterprise and Datacenter editions. I can't seem to find a specific article from Books Online that says otherwise.

USE MASTER
GO

CREATE SERVER AUDIT audit_test                                           
TO FILE (FILEPATH = 'D:\Audit')
GO


CREATE SERVER AUDIT SPECIFICATION audit_test_spec       
FOR SERVER AUDIT [audit_test]
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP)
WITH (STATE=ON)
GO

You can then view server audit events in SSMS by going to Security -> Audits. Then using the context menu, you can select View Audit Logs to review activity.

enter image description here

For more information on audits, you will find additional information here:

CREATE SERVER AUDIT (Transact-SQL)

CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)

CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)

Related Solutions

SQL Server – How to Log All Errors in Queries

If you are just looking to log this information, you can set up an Extended Events session and capture the error_reported event. Here is an example:

CREATE EVENT SESSION [ErrorCapture] 
ON SERVER 
ADD EVENT sqlserver.error_reported
(
    ACTION
    (
        sqlserver.client_hostname,
        sqlserver.database_id,
        sqlserver.sql_text,
        sqlserver.username
    )
    WHERE 
    (
        [severity] >= (11)
    )
) 
ADD TARGET package0.asynchronous_file_target
(
    SET filename=N'C:\SqlServer\Testing\ErrorCapture.xel'
)
WITH 
(
    MAX_MEMORY=4096 KB,
    EVENT_RETENTION_MODE=ALLOW_SINGLE_EVENT_LOSS,
    MAX_DISPATCH_LATENCY=30 SECONDS,
    MAX_EVENT_SIZE=0 KB,
    MEMORY_PARTITION_MODE=NONE,
    TRACK_CAUSALITY=OFF,
    STARTUP_STATE=ON
);
GO

ALTER EVENT SESSION [ErrorCapture]
ON SERVER
STATE = START;
GO

To test this out, here is a test error with RAISERROR():

raiserror('This is a test error', 2, 1);
go

Then by looking at the XE log through the sys.fn_xe_file_target_read_file system function, you will be able to see all of the logged errors.

Sql-server – SQL Server 2012 Intellisense Support for Extended Events

I haven't come across Intellisense support for XEs in SSMS yet. It will tell you when you have an error in your syntax (my common mistake was omitting ON SERVER). SQL Prompt 5 (latest version) has support for the control commands (CREATE EVENT SESSION ... ALTER EVENT SESSION, etc.) but not for the packages and events yet. For now I'd recommend just sticking with the metadata queries from Jonathan Kehayias to get a sense for the packages, events, predicates, maps, etc.

I think this is probably the case because Extended Events are still a work in progress and are undergoing such rapid change and development that more effort would have to be put into generating the Intellisense XML than they'd like to put into it until it's stabilized (from a feature perspective, not a reliability perspective).

Best Answer

Related Solutions

SQL Server – How to Log All Errors in Queries

Sql-server – SQL Server 2012 Intellisense Support for Extended Events

Related Question