SQL Server Audit Records
SQL Server Audit Records
Downloads
Support
Community
Sign in |
Page 1
http://msdn.microsoft.com/en-us/library/cc280545.aspx
5.7.2010 12:45:52
Page 2
http://msdn.microsoft.com/en-us/library/cc280545.aspx
5.7.2010 12:45:52
Page 3
event_time
datetime2
sequence_no
Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits.
int
Yes
action_id
ID of the action
char(4)
Yes
succeeded
permission_bitmask
When applicable, shows the permissions that were granted, denied, or revoked
bigint
No
No
session_id
int
Yes
server_principal_id
int
Yes
database_principal_id ID of the database user context that the action is performed in.
int
No
object_ id
The primary ID of the entity on which the audit occurred. This includes: server objects databases database objects schema objects
int
No
target_server_ principal_id
int
Yes
target_database_ principal_id
int
No
class_type
char(2)
Yes
session_server_ principal_name
sysname
Yes
http://msdn.microsoft.com/en-us/library/cc280545.aspx
5.7.2010 12:45:52
sysname
Yes
Page 4
server_principal_sid
varbinary
Yes
database_principal_ name
Current user.
sysname
No
target_server_ principal_name
sysname
No
target_server_ principal_sid
varbinary
No
target_database_ principal_name
sysname
No
server_instance_name Name of the server instance where the audit occurred. Uses the standard machine\instance format.
nvarchar(120)
Yes
database_name
sysname
No
schema_name
sysname
No
object_name
The name of the entity on which the audit occurred. This includes: server objects databases database objects schema objects TSQL statement (if any)
sysname
No
statement
nvarchar(4000)
No
additional_ information
nvarchar(4000)
No
Remarks
Some actions do not populate a column's value because it might be non-applicable to the action. SQL Server Audit stores 4000 characters of data for character fields in an audit record. When the additional_information and statement values returned from an auditable action return more than 4000 characters, the sequence_no column is used to write multiple records into the audit report for a single audit action to record this data. The process is as follows:
http://msdn.microsoft.com/en-us/library/cc280545.aspx
5.7.2010 12:45:52
The statement column is divided into 4000 characters. SQL Server Audit Records
Page 5
SQL Server Audit writes as the first row for the audit record with the partial data. All the other fields are duplicated in each row. The sequence_no value is incremented. This process is repeated until all the data is recorded. You can connect the data by reading the rows sequentially using the sequence_no value, and the event_Time, action_id and session_id columns to identify the action.
See Also
Other Resources
CREATE SERVER AUDIT (Transact-SQL) ALTER SERVER AUDIT (Transact-SQL) DROP SERVER AUDIT (Transact-SQL) CREATE SERVER AUDIT SPECIFICATION (Transact-SQL) ALTER SERVER AUDIT SPECIFICATION (Transact-SQL) DROP SERVER AUDIT SPECIFICATION (Transact-SQL) CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL) DROP DATABASE AUDIT SPECIFICATION (Transact-SQL) ALTER AUTHORIZATION (Transact-SQL) fn_get_audit_file (Transact-SQL) sys.server_audits (Transact-SQL) sys.server_file_audits (Transact-SQL) sys.server_audit_specifications (Transact-SQL) sys.server_audit_specification_details (Transact-SQL) sys.database_audit_specifications (Transact-SQL) sys.database_audit_specification_details (Transact-SQL) sys.dm_server_audit_status (Transact-SQL) sys.dm_audit_actions (Transact-SQL) sys.dm_audit_class_type_map (Transact-SQL) Audits Node (Object Explorer) Audits (General Page) Server Audit Specifications (General Page) Database Audit Specifications (General Page)
Community Content
Add
2010 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Feedback
http://msdn.microsoft.com/en-us/library/cc280545.aspx
5.7.2010 12:45:52