SQL Server Audit Records Home Library Learn

Downloads

Support

Community

Sign in |

Page 1

SQL Server Audit Records

The SQL Server Audit feature enables you to audit server-level and database-level groups of events and events. For more information, see Understanding SQL Server Audit. SQL Server. Audits consist of zero or more audit action items, which are recorded to an audit target. The audit target can be a binary file, the Windows Application event log or the Windows Security event log. The records sent to the target can contain the elements described in the following table.

http://msdn.microsoft.com/en-us/library/cc280545.aspx

5.7.2010 12:45:52

SQL Server Audit Records

Page 2

http://msdn.microsoft.com/en-us/library/cc280545.aspx

5.7.2010 12:45:52

SQL Server Audit Records

Column name Description Type Always available
Yes

Page 3

event_time

Date/time when the auditable action is fired.

datetime2

sequence_no

Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits.

int

Yes

action_id

ID of the action

char(4)

Yes

succeeded

Indicates if the action that triggered the event succeeded

bit 1 = Success, Yes 0 = Fail

permission_bitmask

When applicable, shows the permissions that were granted, denied, or revoked

bigint

No

is_column_permission Flag indicating a column level permission

bit 1 = True, 0 = False

No

session_id

ID of the session on which the event occurred.

int

Yes

server_principal_id

ID of the login context that the action is performed in.

int

Yes

database_principal_id ID of the database user context that the action is performed in.

int

No

object_ id

The primary ID of the entity on which the audit occurred. This includes: server objects databases database objects schema objects

int

No

target_server_ principal_id

Server principal that the auditable action applies to.

int

Yes

target_database_ principal_id

Database principal that the auditable action applies to.

int

No

class_type

Type of auditable entity that the audit occurs on.

char(2)

Yes

session_server_ principal_name

Server principal for the session.

sysname

Yes

http://msdn.microsoft.com/en-us/library/cc280545.aspx

5.7.2010 12:45:52

SQLserver_principal_ Server Audit RecordsCurrent login.

name

sysname

Yes

Page 4

server_principal_sid

Current login SID.

varbinary

Yes

database_principal_ name

Current user.

sysname

No

target_server_ principal_name

Target login of the action.

sysname

No

target_server_ principal_sid

SID of the target login.

varbinary

No

target_database_ principal_name

Target user of the action.

sysname

No

server_instance_name Name of the server instance where the audit occurred. Uses the standard machine\instance format.

nvarchar(120)

Yes

database_name

The database context in which the action occurred.

sysname

No

schema_name

The schema context in which the action occurred.

sysname

No

object_name

The name of the entity on which the audit occurred. This includes: server objects databases database objects schema objects TSQL statement (if any)

sysname

No

statement

TSQL statement (if any)

nvarchar(4000)

No

additional_ information

Any additional information about the event, stored as XML.

nvarchar(4000)

No

Remarks
Some actions do not populate a column's value because it might be non-applicable to the action. SQL Server Audit stores 4000 characters of data for character fields in an audit record. When the additional_information and statement values returned from an auditable action return more than 4000 characters, the sequence_no column is used to write multiple records into the audit report for a single audit action to record this data. The process is as follows:

http://msdn.microsoft.com/en-us/library/cc280545.aspx

5.7.2010 12:45:52

The statement column is divided into 4000 characters. SQL Server Audit Records

Page 5

SQL Server Audit writes as the first row for the audit record with the partial data. All the other fields are duplicated in each row. The sequence_no value is incremented. This process is repeated until all the data is recorded. You can connect the data by reading the rows sequentially using the sequence_no value, and the event_Time, action_id and session_id columns to identify the action.

See Also
Other Resources

CREATE SERVER AUDIT (Transact-SQL) ALTER SERVER AUDIT (Transact-SQL) DROP SERVER AUDIT (Transact-SQL) CREATE SERVER AUDIT SPECIFICATION (Transact-SQL) ALTER SERVER AUDIT SPECIFICATION (Transact-SQL) DROP SERVER AUDIT SPECIFICATION (Transact-SQL) CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL) DROP DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER AUTHORIZATION (Transact-SQL) fn_get_audit_file (Transact-SQL) sys.server_audits (Transact-SQL) sys.server_file_audits (Transact-SQL) sys.server_audit_specifications (Transact-SQL) sys.server_audit_specification_details (Transact-SQL) sys.database_audit_specifications (Transact-SQL) sys.database_audit_specification_details (Transact-SQL) sys.dm_server_audit_status (Transact-SQL) sys.dm_audit_actions (Transact-SQL) sys.dm_audit_class_type_map (Transact-SQL) Audits Node (Object Explorer) Audits (General Page) Server Audit Specifications (General Page) Database Audit Specifications (General Page)

Community Content

Add

2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Feedback

http://msdn.microsoft.com/en-us/library/cc280545.aspx

5.7.2010 12:45:52