C Microsoft SQL Server Audit Events

This appendix contains:

About the Microsoft SQL Server Audit Events
Account Management Events
Application Management Events
Audit Command Events
Data Access Events
Exception Events
Invalid Record Events
Object Management Events
Peer Association Events
Role and Privilege Management Events
Service and Application Utilization Events
System Management Events
Unknown or Uncategorized Events
User Session Events

C.1 About the Microsoft SQL Server Audit Events

This appendix lists the audit event names and IDs, and the attribute names and data types for Microsoft SQL Server. The audit events are organized by their respective categories; for example, Account Management. You can use these audit events as follows:

For alerts. When you create an alert, you can specify an audit event, based on its category, that can trigger the alert. See "Creating Alerts" for more information.
For custom reports using third-party tools. If you want to create custom reports using third-party tools, refer to the tables in this appendix when you design the reports. See Appendix A, "Oracle Audit Vault Data Warehouse Schema" for more information about custom reports created with third-party tools.

C.2 Account Management Events

Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords. The Account Management Report, described in Section 3.4.1, uses these events.

Table C-1 lists the Microsoft SQL Server account management events and event IDs.

Table C-1 SQL Server Account Management Events

Event Name	Event ID:Subclass
`Audit AddLogin Event`	`ADDLOGIN:ADD` `ADDLOGIN:DROP`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: USER` `DATABASE PRINCIPAL MANAGEMENT:CREATE: USER` `DATABASE PRINCIPAL MANAGEMENT:DROP: USER`
`Audit Login Change Password Event`	`LOGIN CHANGE PASSWORD:PASSWORD CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE` `LOGIN CHANGE PASSWORD:PASSWORD RESET` `LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD SELF RESET` `LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED`
`Audit Login Change Property Event`	`LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED` `LOGIN CHANGE PROPERTY:EXPIRATION CHANGED` `LOGIN CHANGE PROPERTY:NAME CHANGED` `LOGIN CHANGE PROPERTY:POLICY CHANGED`
`Audit Server Object Management Event`	`SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED` `SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN`
`Audit Server Principal Management Event`	`SERVER PRINCIPAL MANAGEMENT:ALTER: USER` `SERVER PRINCIPAL MANAGEMENT:CREATE: USER` `SERVER PRINCIPAL MANAGEMENT:DISABLE: USER` `SERVER PRINCIPAL MANAGEMENT:DROP: USER` `SERVER PRINCIPAL MANAGEMENT:ENABLE: USER`

Table C-2 lists the Microsoft SQL Server account management attributes.

Table C-2 SQL Server Account Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.3 Application Management Events

Application management events track actions that were performed on the underlying SQL statements, such as creating objects. The Procedure Management Report, described in Section 3.4.4, uses these events.

Table C-3 lists the Microsoft SQL Server audit command events and event IDs.

Table C-3 SQL Server Application Management Events and Event IDs

Event Name	Event ID:Subclass
`Audit Database Object Take Ownership Event`	`DATABASE OBJECT TAKE OWNERSHIP: TRIGGER`
`Audit Schema Object Take Ownership Event`	`SCHEMA OBJECT TAKE OWNERSHIP: PROCEDURE` `SCHEMA OBJECT TAKE OWNERSHIP: TYPE` `SCHEMA OBJECT TAKE OWNERSHIP: TRIGGER`
`Audit Server Object Take Ownership Event`	`TRIGGER`
`Object:Created`	`OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:TYPE`
`Object:Deleted`	`OBJECT:DELETED:TRIGGER` `OBJECT:DELETED:PROCEDURE`

Table C-4 lists the Microsoft SQL Server event attributes.

Table C-4 SQL Server Application Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.4 Audit Command Events

Audit command events track the use of audit events such as altering trace events. The Audit Command Report, described in Section 3.4.2, uses these events.

Table C-5 lists the Microsoft SQL Server audit command events and event IDs.

Table C-5 SQL Server Audit Events and Event IDs

Event Name Event ID:Subclass

Event Name	Event ID:Subclass
`Audit Change Audit Event`	`CHANGE AUDIT:AUDIT STARTED` `CHANGE AUDIT:AUDIT STOPPED` `CHANGE AUDIT:C2 MODE OFF` `CHANGE AUDIT:C2 MODE ON` `CHANGE:AUDIT STOPPED` `CHANGE:NEW AUDIT STARTED`
`Audit Server Alter Trace Event`	`SERVER ALTER TRACE`
`ExistingConnection`	`EXISTINGCONNECTION`

Audit Change Audit Event

CHANGE AUDIT:AUDIT STARTED

CHANGE AUDIT:AUDIT STOPPED

CHANGE AUDIT:C2 MODE OFF

CHANGE AUDIT:C2 MODE ON

CHANGE:AUDIT STOPPED

CHANGE:NEW AUDIT STARTED

Audit Server Alter Trace Event

SERVER ALTER TRACE

ExistingConnection

EXISTINGCONNECTION

Table C-6 lists the Microsoft SQL Server audit events that are logged in the Windows Event Viewer.

Table C-6 SQL Server Audit Events Logged in Windows Event Viewer

Event ID:Subclass	Severity
`OP ALTER TRACE: START`	`10`
`OP ALTER TRACE: STOP`	`10`

Table C-7 lists the Microsoft SQL Server audit event attributes.

Table C-7 SQL Server Audit Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`AUDIT_OPTION`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.5 Data Access Events

The data access event tracks SQL transactions. The Data Access Report, described in Section 3.3.2, uses these events.

Table C-8 lists the Microsoft SQL Server data access event and event ID.

Table C-8 SQL Server Data Access Event and Event ID

Event Name	Event ID:Subclass
`SQL Transaction`	`TRANSACTION:BEGIN`

Table C-9 lists the Microsoft SQL Server data access event attributes.

Table C-9 SQL Server Data Access Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.6 Exception Events

Exception events track audited error and exception activity, such as background job errors. The Exception Report, described in Section 3.5.1, uses these events.

Table C-10 lists the Microsoft SQL Server exception events and event IDs.

Table C-10 SQL Server Exception Events and Event IDs

Event Name Event ID:Subclass

Event Name	Event ID:Subclass
`Background Job Error`	`BACKGROUND JOB ERROR:ERROR RETURN` `BACKGROUND JOB ERROR:FAILURE` `BACKGROUND JOB ERROR:QUEUE IS FULL`
`Blocked Process Report`	`BLOCKED PROCESS REPORT`

Background Job Error

BACKGROUND JOB ERROR:ERROR RETURN

BACKGROUND JOB ERROR:FAILURE

BACKGROUND JOB ERROR:QUEUE IS FULL

Blocked Process Report

BLOCKED PROCESS REPORT

Table C-11 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.

Table C-11 SQL Server Exception Events Logged in the Windows Event Viewer

Event ID:Subclass	Severity
`OP ERROR: .NET FATAL ERROR`	`16`
`OP ERROR: .NET USER CODE`	`16`
`OP ERROR: COMMIT`	`10`
`OP ERROR: DB OFFLINE`	`10`
`OP ERROR: MIRRORING ERROR`	`16`
`OP ERROR: PROCESS VIOLATION`	`16`
`OP ERROR: RECOVER`	`21`
`OP ERROR: RESTORE FAILED`	`21`
`OP ERROR: ROLLBACK`	`10`
`OP ERROR: SERVER SHUT DOWN`	`21`
`OP ERROR: STACK OVER FLOW`	`16`

Table C-12 lists the Microsoft SQL Server exception event attributes.

Table C-12 SQL Server Exception Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.7 Invalid Record Events

Invalid record event s track audited activity that Audit Vault could not understand, possibly due to a corrupted audit record. The Invalid Audit Record Report, described in Section 3.5.2, uses the invalid record event attributes. (These events do not have any event names or event IDs; they only contain event attributes.)

Table C-13 lists the Microsoft SQL Server invalid record event attributes.

Table C-13 SQL Server Invalid Record Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`ERROR_ID`	`NUMBER`
`ERROR_MESSAGE`	`VARCHAR2(30)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`MODULE_NAME`	`VARCHAR2(100)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`ORIGINAL_CONTENT1`	`VARCHAR2(4000)`
`ORIGINAL_CONTENT2`	`VARCHAR2(4000)`
`ORIGINAL_CONTENT3`	`VARCHAR2(4000)`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SEVERITY`	`NUMBER`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.8 Object Management Events

Object management events track audited actions performed on database objects, such as altering an object. The Object Management Report, described in Section 3.4.3, uses these events.

Table C-14 lists the Microsoft SQL Server object management events and event IDs.

Table C-14 SQL Server Object Management Events and Event IDs

Event Name	Event ID:Subclass
`Audit Database Object Access Event`	`DATABASE OBJECT ACCESS`
`Audit Database Object Management Event`	`DATABASE OBJECT MANAGEMENT:ACCESS`
`Audit Database Object Take Ownership Event`	`DATABASE OBJECT TAKE OWNERSHIP: OBJECT` `DATABASE OBJECT TAKE OWNERSHIP: SCHEMA`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: OBJECT` `DATABASE PRINCIPAL MANAGEMENT:CREATE: OBJECT` `DATABASE PRINCIPAL MANAGEMENT:DROP: OBJECT`
`Audit Schema Object Access Event`	`SCHEMA OBJECT ACCESS`
`Audit Schema Object Management Event`	`SCHEMA OBJECT MANAGEMENT:ALTER` `SCHEMA OBJECT MANAGEMENT:CREATE` `SCHEMA OBJECT MANAGEMENT:DROP` `SCHEMA OBJECT MANAGEMENT:TRANSFER`
`Audit Schema Object Take Ownership Event`	`SCHEMA OBJECT TAKE OWNERSHIP: INDEX` `SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: TABLE`
`Audit Server Object Take Ownership Event`	`SERVER OBJECT TAKE OWNERSHIP: OBJECT`
`Lock:Deadlock`	`LOCK:DEADLOCK`
`Lock:Deadlock Chain`	`LOCK:DEADLOCK CHAIN` `LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`
`Object:Altered`	`OBJECT:ALTERED` `OBJECT:ALTERED:COMMIT` `OBJECT:ALTERED:INDEX` `OBJECT:ALTERED:PROCEDURE` `OBJECT:ALTERED:ROLLBACK` `OBJECT:ALTERED:TABLE` `OBJECT:ALTERED:TRIGGER` `OBJECT:ALTERED:TYPE`
`Object:Closed`	`OBJECT:CLOSED`
`Object:Created`	`OBJECT:CREATED` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:INDEX` `OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:ROLLBACK` `OBJECT:CREATED:SCHEMA` `OBJECT:CREATED:SYNONYM` `OBJECT:CREATED:TABLE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:VIEW`
`Object:Deleted`	`OBJECT:DELETED` `OBJECT:DELETED:COMMIT` `OBJECT:DELETED:INDEX` `OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:ROLLBACK` `OBJECT:DELETED:SYNONYM` `OBJECT:DELETED:TABLE` `OBJECT:DELETED:TRIGGER` `OBJECT:DELETED:TYPE` `OBJECT:DELETED:VIEW`

Table C-15 lists the Microsoft SQL Server object management event attributes.

Table C-15 SQL Server Object Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.9 Peer Association Events

Peer association events track database link statements. The Distributed Database Report, described in Section 3.3.4, uses these events. (These events do not have any event names or event IDs; they only contain event attributes.)

Table C-16 lists the Microsoft SQL Server peer association event attributes.

Table C-16 SQL Server Peer Association Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.10 Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as creating roles and privileges. The Role and Privilege Management Report, described in Section 3.4.5, uses these events.

Table C-17 lists the Microsoft SQL Server role and privilege management events and event IDs.

Table C-17 SQL Server Role and Privilege Management Events and Event IDs

Event Name	Event ID:Subclass
`Audit Add DB User Event`	`ADD DB USER:GRANT DATABASE ACCESS` `ADD DB USER:GRANTDBACCESS` `ADD DB USER:REVOKE DATABASE ACCESS` `ADD DB USER:REVOKEDBACCESS`
`Audit Add Login to Server Role Event`	`ADD LOGIN TO SERVER ROLE:ADD` `ADD LOGIN TO SERVER ROLE:DROP`
`Audit Add Member to DB Role Event`	`ADD MEMBER TO DB ROLE:ADD` `ADD MEMBER TO DB ROLE:CHANGE GROUP` `ADD MEMBER TO DB ROLE:DROP`
`Audit Add Role Event`	`ADD ROLE:ADD` `ADD ROLE:DROP`
`Audit App Role Change Password Event`	`APP ROLE CHANGE PASSWORD`
`Audit Database Object GDR Event`	`DATABASE OBJECT GDR:GRANT` `DATABASE OBJECT GDR:REVOKE` `DATABASE OBJECT GDR:DENY`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: ROLE` `DATABASE PRINCIPAL MANAGEMENT:CREATE: ROLE` `DATABASE PRINCIPAL MANAGEMENT:DROP: ROLE`
`Audit Login GDR Event`	`LOGIN GDR:DENY` `LOGIN GDR:GRANT` `LOGIN GDR:GRANT` `LOGIN GDR:REVOKE`
`Audit Object Derived Permission Event`	`OBJECT DERIVED PERMISSION:ALTER` `OBJECT DERIVED PERMISSION:CREATE` `OBJECT DERIVED PERMISSION:DROP` `OBJECT DERIVED PERMISSION:DUMP` `OBJECT DERIVED PERMISSION:LOAD`
`Audit Object GDR Event`	`OBJECT GDR:DENY` `OBJECT GDR:GRANT` `OBJECT GDR:REVOKE`
`Audit Object Permission Event`	`OBJECT PERMISSION`
`Audit Server Object GDR Event`	`SERVER OBJECT GDR:DENY` `SERVER OBJECT GDR:GRANT` `SERVER OBJECT GDR:REVOKE`
`Audit Server Scope GDR Event`	`SERVER SCOPE GDR:DENY` `SERVER SCOPE GDR:GRANT` `SERVER SCOPE GDR:REVOKE`
`Audit Statement GDR Event`	`STATEMENT GDR:DENY` `STATEMENT GDR:GRANT` `STATEMENT GDR:REVOKE`
`Audit Statement Permission Event`	`STATEMENT PERMISSION`

Table C-18 lists the Microsoft SQL Server role and privilege event attributes.

Table C-18 SQL Server Role and Privilege Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ADMIN_OPTION`	`NUMBER`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GRANTEE`	`VARCHAR2(4000)`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`ROLE_NAME`	`VARCHAR2(4000)`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`SYSTEM_PRIVILEGE`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.11 Service and Application Utilization Events

Service and application utilization events track audited application access activity. The Procedure Executions Report, described in Section 3.3.5, uses these events.

Table C-19 lists the Microsoft SQL Server service and application utilization events and event IDs.

Table C-19 SQL Server Service and Application Utilization Events and Event IDs

Event Name Event ID

Event Name	Event ID
`Audit Broker Conversation`	`BROKER CONVERSATION:INVALID SIGNATURE` `BROKER CONVERSATION:NO CERTIFICATE` `BROKER CONVERSATION:NO SECURITY HEADER` `BROKER CONVERSATION:RUN AS TARGET FAILURE`
`Broker:Activation`	`BROKER:ACTIVATION:ABORTED`
`Broker:Queue Disabled`	`BROKER:QUEUE DISABLED`

Audit Broker Conversation

BROKER CONVERSATION:INVALID SIGNATURE

BROKER CONVERSATION:NO CERTIFICATE

BROKER CONVERSATION:NO SECURITY HEADER

BROKER CONVERSATION:RUN AS TARGET FAILURE

Broker:Activation

BROKER:ACTIVATION:ABORTED

Broker:Queue Disabled

BROKER:QUEUE DISABLED

Table C-20 lists the Microsoft SQL Server service and application utilization event attributes.

Table C-20 SQL Server Service and Application Utilization Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.12 System Management Events

System management events track audited system management activity, such as backup and restore operations. The System Management Report, described in Section 3.4.6, uses these events.

Table C-21 lists the Microsoft SQL Server system management events and event IDs.

Table C-21 SQL Server System Management Events and Event IDs

Event Name	Event ID:Subclass
`Audit Add DB User Event`	`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:SP_ADDUSER` `ADD DB USER:SP_DROPUSER`
`Audit Backup/Restore Event`	`BACKUP/RESTORE:BACKUP` `BACKUP/RESTORE:BACKUPLOG` `BACKUP/RESTORE:RESTORE`
`Audit Change Database Owner`	`CHANGE DATABASE OWNER`
`Audit Database Management Event`	`DATABASE MANAGEMENT:ALTER` `DATABASE MANAGEMENT:CREATE` `DATABASE MANAGEMENT:DROP` `DATABASE MANAGEMENT:DUMP` `DATABASE MANAGEMENT:LOAD`
`Audit Database Object Management Event`	`DATABASE OBJECT MANAGEMENT:ALTER` `DATABASE OBJECT MANAGEMENT:CREATE` `DATABASE OBJECT MANAGEMENT:DROP` `DATABASE OBJECT MANAGEMENT:DUMP` `DATABASE OBJECT MANAGEMENT:LOAD` `DATABASE OBJECT MANAGEMENT:OPEN`
`Audit Database Operation Event`	`DATABASE OPERATION:SUBSCRIBE TO QUERY NOTIFICATION`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:DUMP` `DATABASE PRINCIPAL MANAGEMENT:LOAD`
`Audit DBCC Event`	`DB CONSISTENCY CHECK`
`Audit Schema Object Management Event`	`SCHEMA OBJECT MANAGEMENT:DUMP` `SCHEMA OBJECT MANAGEMENT:LOAD`
`Audit Server Object Management Event`	`SERVER OBJECT MANAGEMENT:ALTER` `SERVER OBJECT MANAGEMENT:CREATE` `SERVER OBJECT MANAGEMENT:DROP` `SERVER OBJECT MANAGEMENT:DUMP` `SERVER OBJECT MANAGEMENT:LOAD`
`Audit Server Operation Event`	`SERVER OPERATION:ADMINISTER BULK OPERATIONS` `SERVER OPERATION:ALTER RESOURCES` `SERVER OPERATION:ALTER SERVER STATE` `SERVER OPERATION:ALTER SETTINGS` `SERVER OPERATION:AUTHENTICATE` `SERVER OPERATION:EXTERNAL ACCESS`
`Audit Server Principal Management Event`	`SERVER PRINCIPAL MANAGEMENT:DUMP: USER` `SERVER PRINCIPAL MANAGEMENT:LOAD: USER`
`Audit Server Starts and Stops`	`SERVER STARTS AND STOPS:SHUTDOWN` `SERVER STARTS AND STOPS:STARTED` `SERVER STARTS AND STOPS:PAUSED` `SERVER STARTS AND STOPS:CONTINUE`
`Audit Server Starts and Stops Event`	`SERVER STARTS AND STOPS:INSTANCE CONTINUED` `SERVER STARTS AND STOPS:INSTANCE PAUSE` `SERVER STARTS AND STOPS:INSTANCE SHUTDOWN` `SERVER STARTS AND STOPS:INSTANCE STARTED`
`Database Mirroring State Change`	`DATABASE MIRRORING STATE CHANGE`
`Mount Tape`	`MOUNT TAPE:TAPE MOUNT CANCELLED` `MOUNT TAPE:TAPE MOUNT COMPLETE` `MOUNT TAPE:TAPE MOUNT REQUEST`

Table C-22 lists the Microsoft SQL Server system management event attributes.

Table C-22 SQL Server System Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.13 Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations. The Uncategorized Activity Report, described in Section 3.5.3, uses these events.

Table C-23 lists the Microsoft SQL Server unknown or uncategorized event and event ID.

Table C-23 SQL Server Unknown or Uncategorized Event and Event ID

Event Name	Event ID:Subclass
`User Configurable (0-9)`	`USER CONFIGURABLE`

Table C-24 lists the Microsoft SQL Server unknown or uncategorized event attributes.

Table C-24 SQL Server Unknown or Uncategorized Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

C.14 User Session Events

User session events track audited authentication events for users who log in to the database. The User Sessions Report, described in Section 3.3.6, uses these events.

Table C-25 lists the Microsoft SQL Server user session events and event IDs.

Table C-25 SQL Server User Session Events and Event IDs

Event Name	Event ID:Subclass
`Audit Broker Login`	`BROKER LOGIN:LOGIN SUCCESS` `BROKER LOGIN:LOGIN PROTOCOL ERROR` `BROKER LOGIN:MESSAGE FORMAT ERROR` `BROKER LOGIN:NEGOTIATE FAILURE` `BROKER LOGIN:AUTHENTICATION FAILURE`
`Audit Database Operation Event`	`DATABASE OPERATION:CHECKPOINT`
`Audit Database Principal Impersonation Event`	`DATABASE PRINCIPAL IMPERSONATION`
`Audit Login`	`AUDIT LOGIN:LOGIN`
`Audit Login Event`	`AUDIT LOGIN EVENT:LOGIN`
`Audit Login Failed`	`AUDIT LOGIN FAILED:LOGIN FAILED`
`Audit Login Failed Event`	`AUDIT LOGIN FAILED EVENT:LOGIN FAILED`
`Audit Logout`	`AUDIT LOGOUT:LOGOUT`
`Audit Logout Event`	`AUDIT LOGOUT EVENT:LOGOUT`
`Audit Server Principal Impersonation Event`	`SERVER PRINCIPAL IMPERSONATION`
`SQL Transaction`	`SQL TRANSACTION:COMMIT` `SQL TRANSACTION:ROLLBACK` `SQL TRANSACTION:SAVEPOINT`

Table C-26 lists the Microsoft SQL Server user session event attributes.

Table C-26 SQL Server User Session Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`AUTHENTICATION_METHOD`	`VARCHAR2(255)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`