Oracle® Audit Vault Auditor's Guide Release 10.2.3.1 Part Number E13842-02 |
|
|
View PDF |
This appendix contains:
This appendix lists the audit event names and IDs, and the attribute names and data types for Microsoft SQL Server. The audit events are organized by their respective categories; for example, Account Management. You can use these audit events as follows:
For alerts. When you create an alert, you can specify an audit event, based on its category, that can trigger the alert. See "Creating an Alert" for more information.
For custom reports using third-party tools. If you want to create custom reports using other Oracle Database reporting products or third-party tools, refer to the tables in this appendix when you design the reports. See Chapter 4, "Oracle Audit Vault Data Warehouse Schema" for more information about custom reports created with other tools.
Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords. The Account Management Report, described in Section 3.4.1, uses these events.
Table B-1 lists the Microsoft SQL Server account management events and event IDs.
Table B-1 SQL Server Account Management Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-2 lists the Microsoft SQL Server account management event attributes.
Table B-2 SQL Server Account Management Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Application management events track actions that were performed on the underlying SQL statements, such as creating objects. The Procedure Management Report, described in Section 3.4.4, uses these events.
Table B-3 lists the Microsoft SQL Server application management events and event IDs.
Table B-3 SQL Server Application Management Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
Table B-4 lists the Microsoft SQL Server application management event attributes.
Table B-4 SQL Server Application Management Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Audit command events track the use of audit events, such as altering trace events. The Audit Command Report, described in Section 3.4.2, uses these events.
Table B-5 lists the Microsoft SQL Server audit command events and event IDs.
Table B-5 SQL Server Audit Command Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
Table B-6 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.
Table B-6 SQL Server Audit Command Events Logged in Windows Event Viewer
Event ID:Subclass | Severity |
---|---|
|
|
|
|
Table B-7 lists the Microsoft SQL Server audit command event attributes.
Table B-7 SQL Server Audit Command Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The data access event tracks SQL transactions. The Data Access Report, described in Section 3.3.2, uses these events.
Table B-8 shows the Microsoft SQL Server data access event and event ID.
Table B-8 SQL Server Data Access Event and Event ID
Event Name | Event ID:Subclass |
---|---|
|
|
Table B-9 lists the Microsoft SQL Server data access event attributes.
Table B-9 SQL Server Data Access Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exception events track audited error and exception activity, such as background job errors. The Exception Activity Report, described in Section 3.5.1, uses these events.
Table B-10 lists the Microsoft SQL Server exception events and event IDs.
Table B-10 SQL Server Exception Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
Table B-11 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.
Table B-11 SQL Server Exception Events Logged in the Windows Event Viewer
Event ID:Subclass | Severity |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-12 lists the Microsoft SQL Server exception event attributes.
Table B-12 SQL Server Exception Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Invalid record events track audited activity that Oracle Audit Vault cannot recognize, possibly due to a corrupted audit record. The Invalid Audit Record Report, described in Section 3.5.2, uses the invalid record event attributes. (These events do not have any event names or event IDs; they only contain event attributes.)
Table B-13 lists the Microsoft SQL Server invalid record event attributes.
Table B-13 SQL Server Invalid Record Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Object management events track audited actions performed on database objects, such as altering an object. The Object Management Report, described in Section 3.4.3, uses these events.
Table B-14 lists the Microsoft SQL Server object management events and event IDs.
Table B-14 SQL Server Object Management Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-15 lists the Microsoft SQL Server object management event attributes.
Table B-15 SQL Server Object Management Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Peer association events track database link statements. The Distributed Database Report, described in Section 3.3.4, uses these events. (These events do not have any event names or event IDs; they only contain event attributes.)
Table B-16 lists the Microsoft SQL Server peer association event attributes.
Table B-16 SQL Server Peer Association Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Role and privilege management events track audited role and privilege management activity, such as granting a user access permission. The Role and Privilege Management Report, described in Section 3.4.5, uses these events.
Table B-17 lists the Microsoft SQL Server role and privilege management events and event IDs.
Table B-17 SQL Server Role and Privilege Management Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-18 lists the Microsoft SQL Server role and privilege management event attributes.
Table B-18 SQL Server Role and Privilege Management Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Service and application utilization events track audited application access activity. The Procedure Executions Report, described in Section 3.3.5, uses these events.
Table B-19 lists the Microsoft SQL Server service and application utilization events and event IDs.
Table B-19 SQL Server Service and Application Utilization Events and Event IDs
Event Name | Event ID |
---|---|
|
|
|
|
|
|
Table B-20 lists the Microsoft SQL Server service and application utilization event attributes.
Table B-20 SQL Server Service and Application Utilization Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
System management events track audited system management activity, such as backup and restore operations. The System Management Report, described in Section 3.4.6, uses these events.
Table B-21 lists the Microsoft SQL Server system management events and event IDs.
Table B-21 SQL Server System Management Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-22 lists the Microsoft SQL Server system management event attributes.
Table B-22 SQL Server System Management Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations. The Uncategorized Activity Report, described in Section 3.5.3, uses these events.
Table B-23 shows the Microsoft SQL Server unknown or uncategorized event and event ID.
Table B-23 SQL Server Unknown or Uncategorized Event and Event ID
Event Name | Event ID:Subclass |
---|---|
|
|
Table B-24 lists the Microsoft SQL Server unknown or uncategorized event attributes.
Table B-24 SQL Server Unknown or Uncategorized Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User session events track audited authentication events for users who log in to the database. The User Sessions Report, described in Section 3.3.6, uses these events.
Table B-25 lists the Microsoft SQL Server user session events and event IDs.
Table B-25 SQL Server User Session Events and Event IDs
Event Name | Event ID:Subclass |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B-26 lists the Microsoft SQL Server user session event attributes.
Table B-26 SQL Server User Session Event Attributes
Attribute Name | Data Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|