Scribd
Upload
86 views

SQL Server Auditing Quick Reference Guide PDF

This quick reference guide provides instructions for auditing SQL Server using SQL Server traces. It outlines how to create a trace by running a script that defines the trace file location and events to capture. Common event IDs and table columns that can be traced are listed. The guide also describes how to stop a trace, delete it, import trace data into a table, and view trace data to inspect recorded events.

Uploaded by

fptstop
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
86 views

SQL Server Auditing Quick Reference Guide PDF

This quick reference guide provides instructions for auditing SQL Server using SQL Server traces. It outlines how to create a trace by running a script that defines the trace file location and events to capture. Common event IDs and table columns that can be traced are listed. The guide also describes how to stop a trace, delete it, import trace data into a table, and view trace data to inspect recorded events.

Uploaded by

fptstop
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Quick Reference Guide

SQL Server Auditing


SQL Server 2005-2014

Trace Creation
Run MS SQL Management Studio > Connect to database you want to
audit > New Query > Copy the following script into new query box:
DECLARE @RC int, @TraceID int, @on BIT
EXEC @rc = sp_trace_create @TraceID output, 2,
N'C:\pathname\file'
SELECT RC = @RC, TraceID = @TraceID
-- Follow Common SQL trace event list and common sql trace
-- tables to define which events and tables you want to
capture
SELECT @on = 1
EXEC sp_trace_setevent @TraceID, 111, 1, @on
-- (111-Event Audit Add/Drop Role, 1-TextData table column)
EXEC sp_trace_setevent @TraceID, 111, 11, @on
EXEC sp_trace_setevent @TraceID, 111, 14, @on
EXEC @RC = sp_trace_setstatus @TraceID, 1
GO
Define file trace location and hit Execute to start a new trace

Trace Management

Common SQL
Trace Events:

12 SQL:BatchCompleted
13 SQL:BatchStarting
105 Audit Login GDR Event
109 Audit Add DB User Event
110 Audit Add Member to DB
Role Event
111 Audit Add/Drop Role
113 Audit Statement
Permission
128 Audit Database
Management Event
131 Audit Schema Object
Management Event
176 Audit Server Object
Management Event
177 Audit Server Principal
Management Event

Common SQL
Trace Table
Columns:

1 TextData
6 NTUserName
11 LoginName
14 StartTime
15 EndTime
26 ServerName
35 DatabaseName
You can find full events and tables
list here: url2open.com/sqltrace

Execute this query to stop the trace:


sp_trace_setstatus @traceid = 2, @status = 0
Execute this query to delete the trace:
sp_trace_setstatus @traceid = 2, @status = 2

Execute this query in order to import the trace into database table:
USE DBname
SELECT * INTO tablename FROM ::fn_trace_gettable
('C:\pathname\file.trc', DEFAULT)
GO
Execute this query in order to view trace data:
SELECT TOP 1000 [TextData] ,[HostName] ,[LoginName] ,[StartTime] ,[EndTime] ,
[ServerName] ,[EventClass]
FROM [DBname].[dbo].[tablename]
Inspect TextData table for events like: CREATE LOGIN, ALTER SERVER
ROLE, DROP LOGIN etc...

Get #completevisibility into what's going on inside your Microsoft SQL


Server for free: netwrix.com/go/trial-ss

Corporate Headquarters:
300 Spectrum Center Drive, Suite 1100,
Irvine, CA

Toll-free: 888-638-9749

Int'l: 1-949-407-5125
EMEA: 44 (0) 203-318-0261

netwrix.com/social

You might also like