Auditing using Database audit specification and Server audit specification

Quick search

    Audit specifications can have three categories of actions:

    • Server level actions
    • Database level actions or
    • Audit level actions

    This article discusses how server level actions and database level actions are enabled for auditing on an SQL server using audit specification.

    Enabling server audit specification

    These are the audit specifications for actions carried out at the server level. It is available in all the editions of SQL server. There can be only one server audit specification per audit.

    To create server audit specification, the user needs :

    • Permission to connect to the database.
    • ALTER ANY SERVER AUDIT permission to edit.
    • CONTROL SERVER permission to allow the audit to be viewed by the user.

    Steps to create Server Audit Specification:

    1. Create a server audit
      • Navigate to Security folder, in Object Explorer.
      • Right-click the Audits folder and select New Audit.
      • When you finish selecting options, select OK.
    2. Navigate to Security folder >> Server Audit Specifications.
    3. Right-click Server Audit specifications and select New Server Audit Specification.
    4. Specify the following:
      • Name field with name. If left empty, a default name is assigned.
      • Server Audit field with the target machine to which these events should be logged.
    5. From the Audit list, select the audit object created in step 1.
    6. In the Actions pane, add actions and objects to the server audit.
    7. Right-click your server audit specification and select Enable Server Audit Specification.

    Database audit specification

    These are the audit specifications for actions carried out at the database level. Database audit specification is available only in the Enterprise edition of SQL server and can be carried out at the object or user level.

    To create server audit specification, you need the below permissions:

    • Permission to connect to the database
    • ALTER ANY DATABASE AUDIT SPECIFICATION or ALTER
    • CONTROL permission for the database to which they would like to add the audit.

    Steps to create database audit specification:

    The following needs to be configured to create a Database Audit Specification:

    1. Navigate to Security node >> Database Audit specifications.
    2. Right-click Database Audit Specifications and select New Database Audit Specification.
    3. Specify the following fields
      • Name field with name. If left empty, a name is assigned by default.
      • Audit field with the name of the existing Server Audit object.
      • Audit Action Type field, which can be selected from both Audit Actions and Audit Action Groups.
      • Object Name of the object to be audited when an Audit Action has been selected.
      • Schema of the selected object.
      • Principal Name. To audit all users, use the keyword public in this field.
    4. Click OK.
    5. Right-click your database audit specification and select Enable Database Audit specification.

    To audit server scope objects, create a database audit specification in the master database.

    It can also be created with Transact SQL.

    Creating a database audit specification using Transact SQL

    Here's a scenario in which we want to audit the changes made to an employee pay history table. Assume that the employee details are stored in HumanResource.EmployeePayHistory table. First, we define a server audit called Payrole_Security_Auditc and enable it. We then proceed to create a database audit specification called Audit_Pay_Tables. This specification audits SELECT and INSERT statements by the dbo user for the table, as required.

    Steps to enable auditing for the above scenario

    • Connect to an instance of Database Engine, in the Object Explorer.
    • Select New Query on the standard bar.
    • Paste the following example code into the query window and select Execute.
      USE master ;
      GO
      -- Create the server audit.
      CREATE SERVER AUDIT Payrole_Security_Audit
      TO FILE ( FILEPATH =
      'C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\DATA' ) ;
      GO
      -- Enable the server audit.
      ALTER SERVER AUDIT Payrole_Security_Audit
      WITH (STATE = ON) ;
    • Repeat the first three steps for the example code below.
      USE AdventureWorks2012 ;
      GO
      -- Create the database audit specification.
      CREATE DATABASE AUDIT SPECIFICATION Audit_Pay_Tables
      FOR SERVER AUDIT Payrole_Security_Audit
      ADD (SELECT , INSERT
      ON HumanResources.EmployeePayHistory BY dbo )
      WITH (STATE = ON) ;
      GO

    Auditing procedures such as these involve a lot of time and human effort. This is as far as the auditing goes—you still don't get a holistic picture on the security of your SQL database.

    ManageEngine's EventLog Analyzer, a comprehensive log management tool, audits both SQL server and SQL database. It provides out-of-box reports, real-time alerts and even an intuitive dashboard You can drill down to the logs, filter reports, customize alerts, perform log searches, and archive logs for powerful and effective management of SQL Servers. Click here to know to more

    EventLog Analyzer

    EventLog Analyzer, a one-stop log management solution, collects, analyzes, correlates, and archives log data from you on-premises as well as cloud network. With its in-depth log analysis capability, EventLog Analyzer helps enterprises to thwart security threats in real-time, spot anomalous user behaviors, and manage security incidents effectively. Want to know how our solution helps you protect your cloud environment? Check out.

    Download now

    EventLog Analyzer Trusted By

    Los Alamos National Bank Michigan State University
    Panasonic Comcast
    Oklahoma State University IBM
    Accenture Bank of America
    Infosys
    Ernst Young

    Customer Speaks

    • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
      Benjamin Shumaker
      Vice President of IT / ISO
      Credit Union of Denver
    • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
      Joseph Graziano, MCSE CCA VCP
      Senior Network Engineer
      Citadel
    • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
      Joseph E. Veretto
      Operations Review Specialist
      Office of Information System
      Florida Department of Transportation
    • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
      Jim Lloyd
      Information Systems Manager
      First Mountain Bank
    TestimonialsCase Studies

    Awards and Recognitions

    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    A Single Pane of Glass for Comprehensive Log Management
    Log ManagementLog AnalysisIT ComplianceSIEMQuick LinksRelated Products

    © 2020 Zoho Corporation Pvt. Ltd. All rights reserved.