Create a Server Audit and Server Audit Specification2

Create a Server Auditand Server AuditSpecification

This topic describes how to create a server audit and server auditspecification in SQL Server 2012 by using SQL Server ManagementStudio or Transact-SQL. Auditing an instance of SQL Server or a SQLServer database involves tracking and logging events that occur onthe system. The SQL Server Audit object collects a single instance ofserver- or database-level actions and groups of actions to monitor.The audit is at the SQL Server instance level. You can have multipleaudits per SQL Server instance. The Server Audit Specification objectbelongs to an audit. You can create one server audit specificationper audit, because both are created at the SQL Server instancescope. For more information, see SQL Server Audit (DatabaseEngine).

In This Topic

Before you begin:

Limitations and Restrictions

Security

To create a server audit and server audit specification,using:

SQL Server Management Studio

Transact-SQL

Before You Begin

Limitations and Restrictions

An audit must exist before creating a server auditspecification for it. When a server audit specification iscreated, it is in a disabled state.

The CREATE SERVER AUDIT statement is in a transaction'sscope. If the transaction is rolled back, the statement is

SQL Server 2012 1 out of 1 rated this helpful

Create a Server Audit and Server Audit Specification http://msdn.microsoft.com/en-us/library/cc280525.aspx

1 dari 7 14-Apr-2013 11:14 PM

also rolled back.

Security

Permissions

To create, alter, or drop a server audit, principals requirethe ALTER ANY SERVER AUDIT or the CONTROL SERVERpermission.

Users with the ALTER ANY SERVER AUDIT permission cancreate server audit specifications and bind them to anyaudit.

After a server audit specification is created, it can beviewed by principals with the CONTROL SERVER or ALTERANY SERVER AUDIT permissions, the sysadmin account, orprincipals having explicit access to the audit.

[Top]

Using SQL Server ManagementStudio

To create a server audit

In Object Explorer, expand the Security folder.1.

Right-click the Audits folder and select New Audit….

The following options are available on the General pageof the Create Audit dialog box.

Audit nameThe name of the audit. This is generatedautomatically when you create a new audit but iseditable.

Queue delay (in milliseconds)Specifies the amount of time in milliseconds thatcan elapse before audit actions are forced to beprocessed. A value of 0 indicates synchronousdelivery. The default minimum value is 1000 (1second). The maximum is 2,147,483,647(2,147,483.647 seconds or 24 days, 20 hours, 31minutes, 23.647 seconds).

On Audit Log Failure:Continue

2.


2 dari 7 14-Apr-2013 11:14 PM

SQL Server operations continue. Auditrecords are not retained. The audit continuesto attempt to log events and will resume ifthe failure condition is resolved. Selectingthe Continue option can allow unauditedactivity which could violate your securitypolicies. Select this option when continuingoperation of the Database Engine is moreimportant than maintaining a completeaudit. This is the default selection.

Shut down serverForces a server shut down when the serverinstance writing to the target cannot writedata to the audit target. The login issuingthis must have the SHUTDOWN permission.If the logon does not have this permission,this function will fail and an error messagewill be raised. No audited events occur.Select this option when an audit failurecould compromise the security or integrityof the system.

Fail operationIn cases where the SQL Server Audit cannotwrite to the audit log this option causesdatabase actions to fail if they wouldotherwise cause audited events. No auditedevents occur. Actions which do not causeaudited events can continue. The auditcontinues to attempt to log events and willresume if the failure condition is resolved.Select this option when maintaining acomplete audit is more important than fullaccess to the Database Engine.

Security Note

When the audit is in a failed state, the DedicatedAdministrator Connection can continue toperform audited events.

Audit destination listSpecifies the target for auditing data. The availableoptions are a binary file, the Windows Applicationlog, or the Windows Security log. SQL Servercannot write to the Windows Security log withoutconfiguring additional settings in Windows. Formore information, see Write SQL Server AuditEvents to the Security Log.

File pathSpecifies the location of the folder where audit data


3 dari 7 14-Apr-2013 11:14 PM

is written when the Audit destination is a file.

Ellipsis (…)Opens the Locate Folder – server_name dialog boxto specify a file path or create a folder where theaudit file is written.

Audit File Maximum Limit:Maximum rollover files

Specifies that, when the maximum number ofaudit files is reached, the oldest audit filesare overwritten by new file content.

Maximum filesSpecifies that, when the maximum number ofaudit files is reached, any action that causesadditional audit events to be generated willfail with an error.

Unlimited check boxWhen the Unlimited check box underMaximum rollover files is selected, there isno limit imposed on the number of auditfiles that will be created. The Unlimitedcheck box is selected by default and appliesto both the Maximum rollover files andMaximum files selections.

Number of files boxSpecifies the number of audit files to becreated, up to 2,147,483,647. This option isonly available if Unlimited is unchecked.

Maximum file sizeSpecifies the maximum size for an audit file in eithermegabytes (MB), gigabytes (GB), or terabytes (TB).You can specify between 1024 MB and2,147,483,647 TB. Selecting the Unlimited checkbox does not place a limit on the size of the file.Specifying a value lower than 1024 MB will fail,returning an error. The Unlimited check box isselected by default.

Reserve disk space check boxSpecifies that space is pre-allocated on the diskequal to the specified maximum file size. Thissetting can only be used if the Unlimited check boxunder Maximum file size is not selected. Thischeck box is not selected by default.

Optionally, on the Filter page, enter a predicate, or WHEREclause, to the server audit to specify additional options notavailable from the General page. Enclose the predicate in

3.


4 dari 7 14-Apr-2013 11:14 PM

parentheses; for example: (object_name ='EmployeesTable').

When you are finished selecting options, click OK.4.

To create a server audit specification

In Object Explorer, click the plus sign to expand theSecurity folder.

1.

Right-click the Server Audit Specifications folder andselect New Server Audit Specification….

The following options are available on the Create ServerAudit Specification dialog box.

NameThe name of the server audit specification. This isgenerated automatically when you create a newserver audit specification but is editable.

AuditThe name of an existing server audit. Either type inthe name of the audit or select it from the list.

Audit Action TypeSpecifies the server-level audit action groups andaudit actions to capture. For the list of server-levelaudit action groups and audit actions and adescription of the events they contain, see SQLServer Audit Action Groups and Actions.

Object SchemaDisplays the schema for the specified ObjectName.

Object NameThe name of the object to audit. This is onlyavailable for audit actions; it does not apply toaudit groups.

Ellipsis (…)Opens the Select Objects dialog to browse for andselect an available object, based on the specifiedAudit Action Type.

Principal NameThe account to filter the audit by for the objectbeing audited.

Ellipsis (…)Opens the Select Objects dialog to browse for andselect an available object, based on the specified

2.


5 dari 7 14-Apr-2013 11:14 PM

Object Name.

When you are finished, click OK.3.

[Top]

Using Transact-SQL

To create a server audit

In Object Explorer, connect to an instance of DatabaseEngine.

1.

On the Standard bar, click New Query.2.

Copy and paste the following example into the querywindow and click Execute.

3.

To create a server audit specification

In Object Explorer, connect to an instance of DatabaseEngine.

1.

On the Standard bar, click New Query.2.

Copy and paste the following example into the querywindow and click Execute.

3.

-- Creates a server audit called "HIPPA_Audit" with a binarCREATE SERVER AUDIT HIPAA_Audit TO FILE ( FILEPATH ='\\SQLPROD_1\Audit\' );

/*Creates a server audit specification called "HIPPA_Audit_*/

CREATE SERVER AUDIT SPECIFICATION HIPPA_Audit_SpecificationFOR SERVER AUDIT HIPPA_Audit ADD (FAILED_LOGIN_GROUP);GO-- Enables the audit.

ALTER SERVER AUDIT HIPAA_AuditWITH (STATE = ON);GO


6 dari 7 14-Apr-2013 11:14 PM

Community Additions

For more information, see CREATE SERVER AUDIT (Transact-SQL)and CREATE SERVER AUDIT SPECIFICATION (Transact-SQL).

[Top]

© 2013 Microsoft. All rights reserved.


7 dari 7 14-Apr-2013 11:14 PM

Create a Server Audit and Server Audit Specification2

Documents

Transcript of Create a Server Audit and Server Audit Specification2