Microsoft SQL Server

Logging from Microsoft SQL server works through saving events into the application log of Windows and its subsequent forwarding to the Logmanager.

Following conditions must be met for proper function:

It is necessary to have WES installed on a server, where Microsoft SQL is running – more in chapter Microsoft Windows Event Sender (WES) (Deprecated)
Set up auditing of Microsoft SQL server
Use supported version of SQL server

Supported versions

You need to use SQL server version which supports server-level auditing for proper logging function.

Edition / version	SQL Server 2008 and 2008 R2	SQL Server 2012 and 2014
Enterprise	server and database-level	server and database-level
Evaluation	server and database-level	server and database-level
Developer	server and database-level	server and database-level
Datacenter	server and database-level	N/A
Business Intellig.	not supported	server-level
Standard	not supported	server-level
Web	not supported	server-level
Express	not supported	server-level

Audit of Microsoft SQL Server

It is necessary to enter a set of SQL commands to set up logging. You can enter these commands e.g. via Microsoft SQL Server Management Studio.

Log into the Management Studio with an account with authorization to create audits.
Click on the button New Query and enter following commands gradually.
Switch to master:
```
USE master;
```

Create server audit:

CREATE SERVER AUDIT lm_audit TO APPLICATION_LOG WITH (QUEUE_DELAY = 1000);

Create specification of the server audit:

CREATE SERVER AUDIT SPECIFICATION [lm_audit_specification]
FOR SERVER AUDIT [lm_audit]
ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),
ADD (AUDIT_CHANGE_GROUP),
ADD (BROKER_LOGIN_GROUP),
ADD (DATABASE_CHANGE_GROUP),
ADD (DATABASE_LOGOUT_GROUP),
ADD (DATABASE_MIRRORING_LOGIN_GROUP),
ADD (DATABASE_OBJECT_ACCESS_GROUP), - vytezuje
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (FAILED_DATABASE_AUTHENTICATION_GROUP),
ADD (FAILED_LOGIN_GROUP),
ADD (LOGIN_CHANGE_PASSWORD_GROUP),
ADD (LOGOUT_GROUP),
ADD (SCHEMA_OBJECT_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SERVER_OBJECT_CHANGE_GROUP),
ADD (SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP),
ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SERVER_PERMISSION_CHANGE_GROUP),
ADD (SERVER_PRINCIPAL_CHANGE_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (SERVER_STATE_CHANGE_GROUP),
ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (USER_CHANGE_PASSWORD_GROUP)
WITH (STATE = OFF);

For your configuration, select an appropriate set of groups to logging, in order not to overload the server. An overview of the specifications in chapter Audit options overview.

DATABASE_OBJECT_ACCESS_GROUP can generate high number of logs according to Microsoft SQL server usage. Should problems with server overloading occur, the condition can be removed later, more in the chapter Removal of audit conditions.

Allow audit and his specification:

ALTER SERVER AUDIT [lm_audit]
WITH (STATE = ON)
GO

ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
WITH (STATE = ON)
GO

You can enter following commands to check the settings.

Information about the server audit:
```
SELECT name, is_state_enabled, type_desc FROM sys.server_audits;
```
Values description:
- name: name of the audit
- is_state_enabled: Is audit turned on? Must be 1
- type_desc: Where is the audit stored? Must be: APPLICATION LOG, ie. saving to the Windows Event
Information about status of the server audit:
```
SELECT name, status_desc FROM sys.dm_server_audit_status;
```
Values description:
- name: name of the audit
- status_desc: audit status, value must be: STARTED
Information about status specification of the server audit:
```
SELECT * FROM sys.server_audit_specifications;
```
Values description:
- name: name of the audit specification
- is_state_enabled: is specification switched on? Status of the specification must be 1

Adding audit conditions

To add a new condition, the audit has to be turned OFF first. Then you can add a new condition and parameter of repeated audit start.

For example to add monitoring of condition USER_CHANGE_PASSWORD_GROUP enter following commands:

ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
WITH (STATE = OFF);

ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
ADD (USER_CHANGE_PASSWORD_GROUP)
WITH (STATE = ON);

Removal of audit conditions

To remove a condition from auditing, the audit has to be turned OFF first. Then you can remove a condition and add parameter of repeated audit start.

For example to remove monitoring of condition USER_CHANGE_PASSWORD_GROUP enter following commands:

ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
WITH (STATE = OFF);

ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
DROP (USER_CHANGE_PASSWORD_GROUP)
WITH (STATE = ON);

Removal of the audit

You have to remove audit and its specification to cancel auditing. First you need to turn the audit off and the you can remove it.

/* remove audit */
ALTER SERVER AUDIT [lm_audit]
WITH (STATE = OFF);

DROP SERVER AUDIT lm_audit;

/* remove specification */
ALTER SERVER AUDIT SPECIFICATION [lm_audit_specification]
WITH (STATE = OFF);

DROP SERVER AUDIT SPECIFICATION lm_audit_specification;

Audit options overview

Audit allows logging of many conditions, which are described in the following table.

Audit options overview:

Action group name	Description
APPLICATION_ROLE_CHANGE_PASSWORD_GROUP	This event is raised whenever a password is changed for an application role. Equivalent to the Audit App Role Change Password Event Class.
AUDIT_CHANGE_GROUP	This event is raised whenever any audit is created, modified or deleted. This event is raised whenever any audit specification is created, modified, or deleted. Any change to an audit is audited in that audit. Equivalent to the Audit Change Audit Event Class.
BACKUP_RESTORE_GROUP	This event is raised whenever a backup or restore command is issued. Equivalent to the Audit Backup/Restore Event Class.
BROKER_LOGIN_GROUP	This event is raised to report audit messages related to Service Broker transport security. Equivalent to the Audit Broker Login Event Class.
DATABASE_CHANGE_GROUP	This event is raised when a database is created, altered, or dropped. This event is raised whenever any database is created, altered or dropped. Equivalent to the Audit Database Management Event Class.
DATABASE_LOGOUT_GROUP	This event is raised when a contained database user logs out of a database. Equivalent to the Audit Database Logout Event Class.
DATABASE_MIRRORING_LOGIN_GROUP	This event is raised to report audit messages related to database mirroring transport security. Equivalent to the Audit Database Mirroring Login Event Class.
DATABASE_OBJECT_ACCESS_GROUP	This event is raised whenever database objects such as message type, assembly, contract are accessed. This event is raised for any access to any database. System_CAPS_noteNote. This could potentially lead to large audit records. Equivalent to the Audit Database Object Access Event Class.
DATABASE_OBJECT_CHANGE_GROUP	This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. This event is raised whenever any database object is created, altered or dropped. System_CAPS_noteNote. This could lead to very large quantities of audit records. Equivalent to the Audit Database Object Management Event Class.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP	This event is raised when a change of owner for objects within database scope. This event is raised for any object ownership change in any database on the server. Equivalent to the Audit Database Object Take Ownership Event Class.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUP	This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. This event is raised for any object permission change for any database on the server. Equivalent to the Audit Database Object GDR Event Class.
DATABASE_OPERATION_GROUP	This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. This event is raised on any database operation on any database. Equivalent to the Audit Database Operation Event Class.
DATABASE_OWNERSHIP_CHANGE_GROUP	This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. This event is raised for any database ownership change on any database on the server. Equivalent to the Audit Change Database Owner Event Class.
DATABASE_PERMISSION_CHANGE_GROUP	This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any principal in SQL Server (This applies to database-only events, such as granting permissions on a database). This event is raised for any database permission change (GDR) for any database in the server. Equivalent to the Audit Database Scope GDR Event Class.
DATABASE_PRINCIPAL_CHANGE_GROUP	This event is raised when principals, such as users, are created, altered, or dropped from a database. Equivalent to the Audit Database Principal Management Event Class. (Also equivalent to the Audit Add DB Principal Event Class, which occurs on the deprecated sp_grantdbaccess, sp_revokedbaccess, sp_addPrincipal, and sp_dropPrincipal stored procedures.) This event is raised whenever a database role is added to or removed by using the sp_addrole, sp_droprole stored procedures. This event is raised whenever any database principals are created, altered, or dropped from any database. Equivalent to the Audit Add Role Event Class.
DATABASE_PRINCIPAL_IMPERSONATION_GROUP	This event is raised when there is an impersonation operation in the database scope such as EXECUTE AS <principal> or SETPRINCIPAL. This event is raised for impersonations done in any database. Equivalent to the Audit Database Principal Impersonation Event Class.
DATABASE_ROLE_MEMBER_CHANGE_GROUP	This event is raised whenever a login is added to or removed from a database role. This event class is raised for the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures. This event is raised on any Database role member change in any database. Equivalent to the Audit Add Member to DB Role Event Class.
DBCC_GROUP	This event is raised whenever a principal issues any DBCC command. Equivalent to the Audit DBCC Event Class.
FAILED_DATABASE_AUTHENTICATION_GROUP	Indicates that a principal tried to log on to a contained database and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class.
FAILED_LOGIN_GROUP	Indicates that a principal tried to log on to SQL Server and failed. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Failed Event Class.
FULLTEXT_GROUP	Indicates fulltext event occurred. Equivalent to the Audit Fulltext Event Class.
LOGIN_CHANGE_PASSWORD_GROUP	This event is raised whenever a login password is changed by way of ALTER LOGIN statement or sp_password stored procedure. Equivalent to the Audit Login Change Password Event Class.
LOGOUT_GROUP	Indicates that a principal has logged out of SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Logout Event Class.
SCHEMA_OBJECT_ACCESS_GROUP	This event is raised whenever an object permission has been used in the schema. Equivalent to the Audit Schema Object Access Event Class.
SCHEMA_OBJECT_CHANGE_GROUP	This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. Equivalent to the Audit Schema Object Management Event Class. This event is raised on schema objects. Equivalent to the Audit Object Derived Permission Event Class. This event is raised whenever any schema of any database changes. Equivalent to the Audit Statement Permission Event Class.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP	This event is raised when the permissions to change the owner of schema object (such as a table, procedure, or function) is checked. This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. This event is raised for any schema ownership change for any database on the server. Equivalent to the Audit Schema Object Take Ownership Event Class.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP	This event is raised whenever a grant, deny, revoke is performed against a schema object. Equivalent to the Audit Schema Object GDR Event Class.
SERVER_OBJECT_CHANGE_GROUP	This event is raised for CREATE, ALTER, or DROP operations on server objects. Equivalent to the Audit Server Object Management Event Class.
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP	This event is raised when the owner is changed for objects in server scope. Equivalent to the Audit Server Object Take Ownership Event Class.
SERVER_OBJECT_PERMISSION_CHANGE_GROUP	This event is raised whenever a GRANT, REVOKE, or DENY is issued for a server object permission by any principal in SQL Server. Equivalent to the Audit Server Object GDR Event Class.
SERVER_OPERATION_GROUP	This event is raised when Security Audit operations such as altering settings, resources, external access, or authorization are used. Equivalent to the Audit Server Operation Event Class.
SERVER_PERMISSION_CHANGE_GROUP	This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope, such as creating a login. Equivalent to the Audit Server Scope GDR Event Class.
SERVER_PRINCIPAL_CHANGE_GROUP	This event is raised when server principals are created, altered, or dropped. Equivalent to the Audit Server Principal Management Event Class. This event is raised when a principal issues the sp_defaultdb or sp_defaultlanguage stored procedures or ALTER LOGIN statements. Equivalent to the Audit Addlogin Event Class. This event is raised on the sp_addlogin and sp_droplogin stored procedures. Also equivalent to the Audit Login Change Property Event Class. This event is raised for the sp_grantlogin, sp_revokelogin, or sp_denylogin stored procedures. Equivalent to the Audit Login GDR Event Class.
SERVER_PRINCIPAL_IMPERSONATION_GROUP	This event is raised when there is an impersonation within server scope, such as EXECUTE AS <login>. Equivalent to the Audit Server Principal Impersonation Event Class.
SERVER_ROLE_MEMBER_CHANGE_GROUP	This event is raised whenever a login is added or removed from a fixed server role. This event is raised for the sp_addsrvrolemember and sp_dropsrvrolemember stored procedures. Equivalent to the Audit Add Login to Server Role Event Class.
SERVER_STATE_CHANGE_GROUP	This event is raised when the SQL Server service state is modified. Equivalent to the Audit Server Starts and Stops Event Class.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP	Indicates that a principal successfully logged in to a contained database. Equivalent to the Audit Successful Database Authentication Event Class.
SUCCESSFUL_LOGIN_GROUP	Indicates that a principal has successfully logged in to SQL Server. Events in this class are raised by new connections or by connections that are reused from a connection pool. Equivalent to the Audit Login Event Class.
TRACE_CHANGE_GROUP	This event is raised for all statements that check for the ALTER TRACE permission. Equivalent to the Audit Server Alter Trace Event Class.
USER_CHANGE_PASSWORD_GROUP	This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement.
USER_DEFINED_AUDIT_GROUP	This group monitors events raised by using sp_audit_write (Transact-SQL). Typically triggers or stored procedures include calls to sp_audit_write to enable auditing of important events.