How to enable MS SQL Audit Logs
For analyzing MS SQL audit logs by EventLog Analyzer, you need to initially enable auditing in MSSQL server.
To enable auditing in MS SQL server you need to,
Create a SQL Server Audit Object that can be used for auditing
Create a Server audit specification
Enabling the Audit Object
Once the SQL Server Audit Object and Server audit specification is created an configured, EventLog Analyzer will start collecting and analyzing the MSSQL audit application logs.
Create a SQL Server Audit Object
To create a SQL Server Audit Object, go to Object Explorer in MSSQL Server Management Studio
In the object explorer, recursively expand the 'Security' node to 'Audits'
Right click on the 'Audit' and select 'New Audit'. This opens 'Create New Audit' page
In the 'Audit Name' field, specify the name for the Audit Object
- In the 'Audit destination' field, select 'Application Log' type
Click on OK to accept the other default settings and save the new audit specification.
Creating Server Level Audit Specification
In the object explorer, right click on 'Server Audit Specification' and click on 'New Server Audit Specification'. This opens Create New Server Audit Specification window
In the Name field, specify the name for the Server audit
Select the your Audit object from the 'Audit' field drop down menu
In the Actions table, select the following Audit Action type from the list
Click on OK to save the server audit specification.
Enabling Audit Object
Now you need to enable the audit object created. Click on Audits node in Object Explorer and right click on the audit object created, and then click on Enable Audit. This will start the audit.
EventLog Analyzer will now collect these audit logs from the MSSQL server that is added as a host to the EventLog Analyzer Server.