There are two primary ways of logging SQL audit events. One way is to write the SQL server's logs to a .sqlaudit file and view it on SQL Log Viewer. Another way is to write them to Windows Security log.
Writing SQL events as Windows Security logs has the added advantage of being tamper-proof.
This article explains how to write SQL Server Audit Events to Windows Security log.
To ensure that the necessary SQL server events are being captured and logged, you need to configure the audit object access setting in Windows. This setting can be configured on auditpol.exe, using the below steps.
auditpol /set /subcategory:"application generated" /success:enable /failure:enable
The generate security audits permission should be granted to the account running the SQL Server service. This enables the account to write the captured SQL server events to the Windows Security Log.
Note: If your SQL Server service is running under the LOCAL SERVICE or the NETWORK SERVICE accounts, step 2 is not necessary.
The steps to grant this permission using secpol are as follows:
Once done, your SQL Server Audit events are written to Windows Security Log. You can create the required server audit objects, server audit specification, and database audit specification on your SQL server.
Zoho Corporation Pvt. Ltd. All rights reserved.