B Microsoft SQL Server Audit Events

This appendix contains:

About the Microsoft SQL Server Audit Events
Account Management Events
Application Management Events
Audit Command Events
Data Access Events
Exception Events
Invalid Record Events
Object Management Events
Peer Association Events
Role and Privilege Management Events
Service and Application Utilization Events
System Management Events
Unknown or Uncategorized Events
User Session Events

B.1 About the Microsoft SQL Server Audit Events

This appendix lists the audit event names and IDs, and the attribute names and data types for Microsoft SQL Server. The audit events are organized by their respective categories; for example, Account Management. You can use these audit events as follows:

For alerts. When you create an alert, you can specify an audit event, based on its category, that can trigger the alert. See "Creating a Basic Alert" for more information.
For custom reports using third-party tools. If you want to create custom reports using other Oracle Database reporting products or third-party tools, then refer to the tables in this appendix when you design the reports. See Chapter 4, "Oracle Audit Vault Data Warehouse Schema" for more information about custom reports created with other tools.

B.2 Account Management Events

Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords. The Account Management Report, described in Section 3.3.3.2, uses these events.

Table B-1 lists the Microsoft SQL Server account management source database events and the equivalent Oracle Audit Vault events.

Table B-1 SQL Server Account Management Audit Events

Event Name Description Source Event Audit Vault Event

Event Name Description	Source Event	Audit Vault Event
`Audit AddLogin Event`	`ADDLOGIN:ADD` `ADDLOGIN:DROP`	`CREATE USER` `DROP USER`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: USER` `DATABASE PRINCIPAL MANAGEMENT:CREATE: USER` `DATABASE PRINCIPAL MANAGEMENT:DROP: USER`	`ALTER USER` `CREATE USER` `DROP USER`
`Audit Login Change Password Event`	`LOGIN CHANGE PASSWORD:PASSWORD CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE` `LOGIN CHANGE PASSWORD:PASSWORD RESET` `LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD SELF RESET` `LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED`	`ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER`
`Audit Login Change Property Event`	`LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED` `LOGIN CHANGE PROPERTY:EXPIRATION CHANGED` `LOGIN CHANGE PROPERTY:NAME CHANGED` `LOGIN CHANGE PROPERTY:POLICY CHANGED`	`ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER` `ALTER USER`
`Audit Server Object Management Event`	`SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED` `SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN`	`ALTER USER` `ALTER USER`
`Audit Server Principal Management Event`	`SERVER PRINCIPAL MANAGEMENT:ALTER: USER` `SERVER PRINCIPAL MANAGEMENT:CREATE: USER` `SERVER PRINCIPAL MANAGEMENT:DISABLE: USER` `SERVER PRINCIPAL MANAGEMENT:DROP: USER` `SERVER PRINCIPAL MANAGEMENT:ENABLE: USER`	`ALTER USER` `CREATE USER` `DISABLE USER` `DROP USER` `ENABLE USER`

Audit AddLogin Event

ADDLOGIN:ADD

ADDLOGIN:DROP

CREATE USER

DROP USER

Audit Database Principal Management Event

DATABASE PRINCIPAL MANAGEMENT:ALTER: USER

DATABASE PRINCIPAL MANAGEMENT:CREATE: USER

DATABASE PRINCIPAL MANAGEMENT:DROP: USER

ALTER USER

CREATE USER

DROP USER

Audit Login Change Password Event

LOGIN CHANGE PASSWORD:PASSWORD CHANGED

LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE

LOGIN CHANGE PASSWORD:PASSWORD RESET

LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED

LOGIN CHANGE PASSWORD:PASSWORD SELF RESET

LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED

ALTER USER

Audit Login Change Property Event

LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED

LOGIN CHANGE PROPERTY:DEFAULT DATABASE

LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED

LOGIN CHANGE PROPERTY:EXPIRATION CHANGED

LOGIN CHANGE PROPERTY:NAME CHANGED

LOGIN CHANGE PROPERTY:POLICY CHANGED

ALTER USER

Audit Server Object Management Event

SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED

SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN

ALTER USER

Audit Server Principal Management Event

SERVER PRINCIPAL MANAGEMENT:ALTER: USER

SERVER PRINCIPAL MANAGEMENT:CREATE: USER

SERVER PRINCIPAL MANAGEMENT:DISABLE: USER

SERVER PRINCIPAL MANAGEMENT:DROP: USER

SERVER PRINCIPAL MANAGEMENT:ENABLE: USER

ALTER USER

CREATE USER

DISABLE USER

DROP USER

ENABLE USER

Table B-2 lists the Microsoft SQL Server account management event attributes.

Table B-2 SQL Server Account Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.3 Application Management Events

Application management events track actions that were performed on the underlying SQL statements, such as creating objects. The Procedure Management Report, described in Section 3.3.3.5, uses these events.

Table B-3 lists the Microsoft SQL Server application management source database events and the equivalent Oracle Audit Vault events.

Table B-3 SQL Server Application Management Audit Events

Event Name Description	Source Event	Audit Vault Event
`Audit Database Object Take Ownership Event`	`DATABASE OBJECT TAKE OWNERSHIP: TRIGGER`	`ALTER TRIGGER`
`Audit Schema Object Take Ownership Event`	`SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: PROCEDURE` `SCHEMA OBJECT TAKE OWNERSHIP: TYPE` `SCHEMA OBJECT TAKE OWNERSHIP: TRIGGER`	`ALTER OBJECT` `ALTER PROCEDURE` `ALTER TYPE` `ALTER TRIGGER`
`Audit Server Object Take Ownership Event`	`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	`ALTER OBJECT`
`Object:Created`	`OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE`	`CREATE PROCEDURE` `CREATE TRIGGER`
`Object:Deleted`	`OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:TRIGGER`	`DROP PROCEDURE` `DROP TRIGGER`

Table B-4 lists the Microsoft SQL Server application management event attributes.

Table B-4 SQL Server Application Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.4 Audit Command Events

Audit command events track the use of audit events, such as altering trace events. The Audit Command Report, described in Section 3.3.3.3, uses these events.

Table B-5 lists the Microsoft SQL Server audit command source database events and the equivalent Oracle Audit Vault events.

Table B-5 SQL Server Audit Command Audit Events

Event Name Description Source Event Audit Vault Event

Event Name Description	Source Event	Audit Vault Event
`Audit Change Audit Event`	`CHANGE AUDIT:AUDIT STARTED` `CHANGE AUDIT:AUDIT STOPPED` `CHANGE AUDIT:C2 MODE OFF` `CHANGE AUDIT:C2 MODE ON` `CHANGE:AUDIT STOPPED` `CHANGE:NEW AUDIT STARTED`	`SYSTEM AUDIT` `SYSTEM NOAUDIT` `SYSTEM NOAUDIT` `SYSTEM AUDIT` `SYSTEM NOAUDIT` `SYSTEM AUDIT`
`Audit Server Alter Trace Event`	`SERVER ALTER TRACE`	`ALTER TRACE`
`ExistingConnection`	`EXISTINGCONNECTION`	`EXISTING CONNECTION`

Audit Change Audit Event

CHANGE AUDIT:AUDIT STARTED

CHANGE AUDIT:AUDIT STOPPED

CHANGE AUDIT:C2 MODE OFF

CHANGE AUDIT:C2 MODE ON

CHANGE:AUDIT STOPPED

CHANGE:NEW AUDIT STARTED

SYSTEM AUDIT

SYSTEM NOAUDIT

SYSTEM AUDIT

SYSTEM NOAUDIT

SYSTEM AUDIT

Audit Server Alter Trace Event

SERVER ALTER TRACE

ALTER TRACE

ExistingConnection

EXISTINGCONNECTION

EXISTING CONNECTION

Table B-6 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.

Table B-6 SQL Server Audit Command Events Logged in Windows Event Viewer

Source Event	Severity
`OP ALTER TRACE: START`	`10`
`OP ALTER TRACE: STOP`	`10`

Table B-7 lists the Microsoft SQL Server audit command event attributes.

Table B-7 SQL Server Audit Command Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`AUDIT_OPTION`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.5 Data Access Events

The data access event tracks SQL transactions. The Data Access Report, described in Section 3.3.2.3, uses these events.

Table B-8 shows the Microsoft SQL Server data access source event and the equivalent Oracle Audit Vault event.

Table B-8 SQL Server Data Access Audit Events

Event Name Description	Source Event	Audit Vault Event
`SQL Transaction`	`TRANSACTION:BEGIN`	`SQL-TRANSACTION`

Table B-9 lists the Microsoft SQL Server data access event attributes.

Table B-9 SQL Server Data Access Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.6 Exception Events

Exception events track audited error and exception activity, such as background job errors. The Exception Activity Report, described in Section 3.3.4.2, uses these events.

Table B-10 lists the Microsoft SQL Server exception source database events and the equivalent Oracle Audit Vault events.

Table B-10 SQL Server Exception Audit Events

Event Name Description Source Event Audit Vault Event

Event Name Description	Source Event	Audit Vault Event
`Background Job Error`	`BACKGROUND JOB ERROR:ERROR RETURN` `BACKGROUND JOB ERROR:FAILURE` `BACKGROUND JOB ERROR:QUEUE IS FULL`	`ERROR` `ERROR` `ERROR`
`Blocked Process Report`	`BLOCKED PROCESS REPORT`	`ERROR`

Background Job Error

BACKGROUND JOB ERROR:ERROR RETURN

BACKGROUND JOB ERROR:FAILURE

BACKGROUND JOB ERROR:QUEUE IS FULL

ERROR

Blocked Process Report

BLOCKED PROCESS REPORT

ERROR

Table B-11 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.

Table B-11 SQL Server Exception Events Logged in the Windows Event Viewer

Source Event	Severity	Audit Vault Event
`OP ERROR: COMMIT`	`10`	`ERROR`
`OP ERROR: DB OFFLINE`	`10`	`ERROR`
`OP ERROR: MIRRORING ERROR`	`16`	`ERROR`
`OP ERROR: .NET FATAL ERROR`	`16`	`ERROR`
`OP ERROR: .NET USER CODE`	`16`	`ERROR`
`OP ERROR: PROCESS VIOLATION`	`16`	`ERROR`
`OP ERROR: RECOVER`	`21`	`ERROR`
`OP ERROR: RESTORE FAILED`	`21`	`ERROR`
`OP ERROR: ROLLBACK`	`10`	`ERROR`
`OP ERROR: SERVER SHUT DOWN`	`21`	`ERROR`
`OP ERROR: STACK OVER FLOW`	`16`	`ERROR`

Table B-12 lists the Microsoft SQL Server exception event attributes.

Table B-12 SQL Server Exception Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.7 Invalid Record Events

Invalid record events track audited activity that Oracle Audit Vault cannot recognize, possibly due to a corrupted audit record. The Invalid Audit Record Report, described in Section 3.3.4.3, uses the invalid record event attributes. (These events do not have any event names; they only contain event attributes.)

Table B-13 lists the Microsoft SQL Server invalid record event attributes.

Table B-13 SQL Server Invalid Record Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`ERROR_ID`	`NUMBER`
`ERROR_MESSAGE`	`VARCHAR2(30)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`MODULE_NAME`	`VARCHAR2(100)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`ORIGINAL_CONTENT1`	`VARCHAR2(4000)`
`ORIGINAL_CONTENT2`	`VARCHAR2(4000)`
`ORIGINAL_CONTENT3`	`VARCHAR2(4000)`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SEVERITY`	`NUMBER`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.8 Object Management Events

Object management events track audited actions performed on database objects, such as altering an object. The Object Management Report, described in Section 3.3.3.4, uses these events.

Table B-14 lists the Microsoft SQL Server object management source database events and the equivalent Oracle Audit Vault events.

Table B-14 SQL Server Object Management Audit Events

Event Name Description	Source Event	Audit Vault Event
`Audit Database Object Access Event`	`DATABASE OBJECT ACCESS`	`ACCESS OBJECT`
`Audit Database Object Management Event`	`DATABASE OBJECT MANAGEMENT:ACCESS`	`ACCESS OBJECT`
`Audit Database Object Take Ownership Event`	`DATABASE OBJECT TAKE OWNERSHIP: OBJECT` `DATABASE OBJECT TAKE OWNERSHIP: SCHEMA`	`ALTER OBJECT` `ALTER SCHEMA`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: OBJECT` `DATABASE PRINCIPAL MANAGEMENT:CREATE: OBJECT` `DATABASE PRINCIPAL MANAGEMENT:DROP: OBJECT`	`ALTER OBJECT` `CREATE OBJECT` `DROP OBJECT`
`Audit Schema Object Access Event`	`SCHEMA OBJECT ACCESS`	`ACCESS OBJECT`
`Audit Schema Object Management Event`	`SCHEMA OBJECT MANAGEMENT:ALTER` `SCHEMA OBJECT MANAGEMENT:CREATE` `SCHEMA OBJECT MANAGEMENT:DROP` `SCHEMA OBJECT MANAGEMENT:TRANSFER`	`ALTER SCHEMA` `ALTER SCHEMA` `ALTER SCHEMA` `ALTER SCHEMA`
`Audit Schema Object Take Ownership Event`	`SCHEMA OBJECT TAKE OWNERSHIP: INDEX` `SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: TABLE`	`ALTER INDEX` `ALTER OBJECT` `ALTER TABLE`
`Audit Server Object Take Ownership Event`	`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	`ALTER OBJECT`
`Lock:Deadlock`	`LOCK:DEADLOCK`	Deadlock Presence
`Lock:Deadlock Chain`	`LOCK:DEADLOCK CHAIN` `LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`	Deadlock Presence `DEADLOCK`
`Object:Altered`	`OBJECT:ALTERED` `OBJECT:ALTERED:COMMIT` `OBJECT:ALTERED:INDEX` `OBJECT:ALTERED:PROCEDURE` `OBJECT:ALTERED:ROLLBACK` `OBJECT:ALTERED:TABLE` `OBJECT:ALTERED:TRIGGER` `OBJECT:ALTERED:TYPE`	`ALTER OBJECT` `COMMIT` `ALTER INDEX` `ALTER PROCEDURE` `ROLLBACK` `ALTER TABLE` `ALTER TRIGGER` `ALTER TYPE`
`Object:Closed`	`OBJECT:CLOSED`	None
`Object:Created`	`OBJECT:CREATED` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:INDEX` `OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:ROLLBACK` `OBJECT:CREATED:SCHEMA` `OBJECT:CREATED:SYNONYM` `OBJECT:CREATED:TABLE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:VIEW`	`CREATE OBJECT` `COMMIT` `CREATE INDEX` `CREATE PROCEDURE` `ROLLBACK` `CREATE SCHEMA` `CREATE SYNONYM` `CREATE TABLE` `CREATE TRIGGER` `CREATE TYPE` `CREATE VIEW`
`Object:Deleted`	`OBJECT:DELETED` `OBJECT:DELETED:COMMIT` `OBJECT:DELETED:INDEX` `OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:ROLLBACK` `OBJECT:DELETED:SYNONYM` `OBJECT:DELETED:TABLE` `OBJECT:DELETED:TRIGGER` `OBJECT:DELETED:TYPE` `OBJECT:DELETED:VIEW`	`DROP OBJECT` `COMMIT` `DROP INDEX` `DROP PROCEDURE` `ROLLBACK` `DROP SYNONYM` `DROP TABLE` `DROP TRIGGER` `DROP TYPE` `DROP VIEW`

Table B-15 lists the Microsoft SQL Server object management event attributes.

Table B-15 SQL Server Object Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_NAME`	`VARCHAR2(4000)`
`ASSOCIATED_OBJECT_OWNER`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`NEW_OBJECT_NAME`	`VARCHAR2(4000)`
`NEW_OBJECT_OWNER`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.9 Peer Association Events

Peer association events track database link statements. The Distributed Database Report, described in Section 3.3.2.5, uses these events. (These events do not have any event names; they only contain event attributes.)

Table B-16 lists the Microsoft SQL Server peer association event attributes.

Table B-16 SQL Server Peer Association Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.10 Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as granting a user access permission. The Role and Privilege Management Report, described in Section 3.3.3.6, uses these events.

Table B-17 lists the Microsoft SQL Server role and privilege management source database events and the equivalent Oracle Audit Vault events.

Table B-17 SQL Server Role and Privilege Management Audit Events

Event Name Description	Source Event	Audit Vault Event
`Audit Add DB User Event`	`ADD DB USER:GRANT DATABASE ACCESS` `ADD DB USER:GRANTDBACCESS` `ADD DB USER:REVOKE DATABASE ACCESS` `ADD DB USER:REVOKEDBACCESS`	`GRANT ROLE` `GRANT ROLE` `REVOKE ROLE` `REVOKE ROLE`
`Audit Add Login to Server Role Event`	`ADD LOGIN TO SERVER ROLE:ADD` `ADD LOGIN TO SERVER ROLE:DROP`	`GRANT ROLE` `REVOKE ROLE`
`Audit Add Member to DB Role Event`	`ADD MEMBER TO DB ROLE:ADD` `ADD MEMBER TO DB ROLE:CHANGE GROUP` `ADD MEMBER TO DB ROLE:DROP`	`GRANT ROLE` `ALTER ROLE` `REVOKE ROLE`
`Audit Add Role Event`	`ADD ROLE:ADD` `ADD ROLE:DROP`	`GRANT ROLE` `REVOKE ROLE`
`Audit App Role Change Password Event`	`APP ROLE CHANGE PASSWORD`	`ALTER APP ROLE`
`Audit Database Object GDR Event`	`DATABASE OBJECT GDR:DENY` `DATABASE OBJECT GDR:GRANT` `DATABASE OBJECT GDR:REVOKE`	`DENY OBJECT` `GRANT OBJECT` `REVOKE OBJECT`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:ALTER: ROLE` `DATABASE PRINCIPAL MANAGEMENT:CREATE: ROLE` `DATABASE PRINCIPAL MANAGEMENT:DROP: ROLE`	`ALTER ROLE` `CREATE ROLE` `DROP ROLE`
`Audit Login GDR Event`	`LOGIN GDR:DENY` `LOGIN GDR:GRANT` `LOGIN GDR:REVOKE`	`DENY ROLE` `GRANT ROLE` `REVOKE ROLE`
`Audit Object Derived Permission Event`	`OBJECT DERIVED PERMISSION:ALTER OBJECT` `OBJECT DERIVED PERMISSION:CREATE OBJECT` `OBJECT DERIVED PERMISSION:DROP OBJECT` `OBJECT DERIVED PERMISSION:DUMP OBJECT` `OBJECT DERIVED PERMISSION:LOAD OBJECT`	`CHECK PRIVILEGE` `CHECK PRIVILEGE` `CHECK PRIVILEGE` `CHECK PRIVILEGE` `CHECK PRIVILEGE`
`Audit Object GDR Event`	`OBJECT GDR:DENY` `OBJECT GDR:GRANT` `OBJECT GDR:REVOKE`	`DENY OBJECT` `GRANT OBJECT` `REVOKE OBJECT`
`Audit Object Permission Event`	`OBJECT PERMISSION`	`CHECK PRIVILEGE`
`Audit Server Object GDR Event`	`SERVER OBJECT GDR:DENY` `SERVER OBJECT GDR:GRANT` `SERVER OBJECT GDR:REVOKE`	`DENY OBJECT` `GRANT OBJECT` `REVOKE OBJECT`
`Audit Server Scope GDR Event`	`SERVER SCOPE GDR:DENY` `SERVER SCOPE GDR:GRANT` `SERVER SCOPE GDR:REVOKE`	`DENY ROLE` `GRANT ROLE` `REVOKE ROLE`
`Audit Statement GDR Event`	`STATEMENT GDR:DENY` `STATEMENT GDR:GRANT` `STATEMENT GDR:REVOKE`	`DENY ROLE` `GRANT ROLE` `REVOKE ROLE`
`Audit Statement Permission Event`	`STATEMENT PERMISSION`	`CHECK PRIVILEGE`

Table B-18 lists the Microsoft SQL Server role and privilege management event attributes.

Table B-18 SQL Server Role and Privilege Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`ADMIN_OPTION`	`NUMBER`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GRANTEE`	`VARCHAR2(4000)`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`ROLE_NAME`	`VARCHAR2(4000)`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`SYSTEM_PRIVILEGE`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.11 Service and Application Utilization Events

Service and application utilization events track audited application access activity. The Procedure Executions Report, described in Section 3.3.2.6, uses these events.

Table B-19 lists the Microsoft SQL Server service and application utilization source database events and the equivalent Oracle Audit Vault events.

Table B-19 SQL Server Service and Application Utilization Audit Events

Event Name Description Source Event Audit Vault Event

Event Name Description	Source Event	Audit Vault Event
`Audit Broker Conversation`	`BROKER CONVERSATION:INVALID SIGNATURE` `BROKER CONVERSATION:NO CERTIFICATE` `BROKER CONVERSATION:NO SECURITY HEADER` `BROKER CONVERSATION:RUN AS TARGET FAILURE`	`SERVICE BROKER QUEING` `SERVICE BROKER QUEING` `SERVICE BROKER QUEING` `SERVICE BROKER QUEING`
`Broker:Activation`	`BROKER:ACTIVATION:ABORTED`	`SERVICE BROKER QUEING`
`Broker:Queue Disabled`	`BROKER:QUEUE DISABLED`	`SERVICE BROKER QUEING`

Audit Broker Conversation

BROKER CONVERSATION:INVALID SIGNATURE

BROKER CONVERSATION:NO CERTIFICATE

BROKER CONVERSATION:NO SECURITY HEADER

BROKER CONVERSATION:RUN AS TARGET FAILURE

SERVICE BROKER QUEING

Broker:Activation

BROKER:ACTIVATION:ABORTED

SERVICE BROKER QUEING

Broker:Queue Disabled

BROKER:QUEUE DISABLED

SERVICE BROKER QUEING

Table B-20 lists the Microsoft SQL Server service and application utilization event attributes.

Table B-20 SQL Server Service and Application Utilization Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.12 System Management Events

System management events track audited system management activity, such as backup and restore operations. The System Management Report, described in Section 3.3.3.7, uses these events.

Table B-21 lists the Microsoft SQL Server system management source database events and the equivalent Oracle Audit Vault events.

Table B-21 SQL Server System Management Audit Events

Event Name Description	Source Event	Audit Vault Event
`Audit Add DB User Event`	`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:SP_ADDUSER` `ADD DB USER:SP_DROPUSER`	`ALTER DATABASE` `ALTER DATABASE` `ALTER DATABASE` `ALTER DATABASE`
`Audit Backup/Restore Event`	`BACKUP/RESTORE:BACKUP` `BACKUP/RESTORE:BACKUPLOG` `BACKUP/RESTORE:RESTORE`	`BACKUP` `BACKUP` `RESTORE`
`Audit Change Database Owner`	`CHANGE DATABASE OWNER`	`ALTER DATABASE`
`Audit Database Management Event`	`DATABASE MANAGEMENT:ALTER` `DATABASE MANAGEMENT:CREATE` `DATABASE MANAGEMENT:DROP` `DATABASE MANAGEMENT:DUMP` `DATABASE MANAGEMENT:LOAD`	`ALTER DATABASE` `CREATE DATABASE` `DROP DATABASE` `BACKUP` `RESTORE`
`Audit Database Object Management Event`	`DATABASE OBJECT MANAGEMENT:ALTER` `DATABASE OBJECT MANAGEMENT:CREATE` `DATABASE OBJECT MANAGEMENT:DROP` `DATABASE OBJECT MANAGEMENT:DUMP` `DATABASE OBJECT MANAGEMENT:LOAD` `DATABASE OBJECT MANAGEMENT:OPEN`	`ALTER DATABASE` `ALTER DATABASE` `ALTER DATABASE` `BACKUP` `RESTORE` `ALTER DATABASE`
`Audit Database Operation Event`	`DATABASE OPERATION:SUBSCRIBE TO QUERY NOTIFICATION`	`QN SUBSCRIPTION`
`Audit Database Principal Management Event`	`DATABASE PRINCIPAL MANAGEMENT:DUMP` `DATABASE PRINCIPAL MANAGEMENT:LOAD`	`BACKUP` `RESTORE`
`Audit DBCC Event`	`DB CONSISTENCY CHECK`	`CONSISTENCY CHECK`
`Audit Schema Object Management Event`	`SCHEMA OBJECT MANAGEMENT:DUMP` `SCHEMA OBJECT MANAGEMENT:LOAD`	`BACKUP` `RESTORE`
`Audit Server Object Management Event`	`SERVER OBJECT MANAGEMENT:ALTER` `SERVER OBJECT MANAGEMENT:CREATE` `SERVER OBJECT MANAGEMENT:DROP` `SERVER OBJECT MANAGEMENT:DUMP` `SERVER OBJECT MANAGEMENT:LOAD`	`ALTER SYSTEM` `ALTER SYSTEM` `ALTER SYSTEM` `BACKUP` `RESTORE`
`Audit Server Operation Event`	`SERVER OPERATION:ADMINISTER BULK OPERATIONS` `SERVER OPERATION:ALTER RESOURCES` `SERVER OPERATION:ALTER SERVER STATE` `SERVER OPERATION:ALTER SETTINGS` `SERVER OPERATION:AUTHENTICATE` `SERVER OPERATION:EXTERNAL ACCESS`	`ALTER SYSTEM` `ALTER SYSTEM` `ALTER SYSTEM` `ALTER SYSTEM` `ALTER SYSTEM` `ALTER SYSTEM`
`Audit Server Principal Management Event`	`SERVER PRINCIPAL MANAGEMENT:DUMP: USER` `SERVER PRINCIPAL MANAGEMENT:LOAD: USER`	`BACKUP` `RESTORE`
`Audit Server Starts and Stops`	`SERVER STARTS AND STOPS:SHUTDOWN` `SERVER STARTS AND STOPS:STARTED` `SERVER STARTS AND STOPS:PAUSED` `SERVER STARTS AND STOPS:CONTINUE`	`SHUTDOWN` `STARTUP` `SUSPEND` `RESUME`
`Audit Server Starts and Stops Event`	`SERVER STARTS AND STOPS:INSTANCE CONTINUED` `SERVER STARTS AND STOPS:INSTANCE PAUSE` `SERVER STARTS AND STOPS:INSTANCE SHUTDOWN` `SERVER STARTS AND STOPS:INSTANCE STARTED`	`RESUME` `SUSPEND` `SHUTDOWN` `STARTUP`
`Database Mirroring State Change`	`DATABASE MIRRORING STATE CHANGE`	`MIRRORING STATE CHANGED`
`Mount Tape`	`MOUNT TAPE:TAPE MOUNT CANCELLED` `MOUNT TAPE:TAPE MOUNT COMPLETE` `MOUNT TAPE:TAPE MOUNT REQUEST`	`MOUNT TAPE` `MOUNT TAPE` `MOUNT TAPE`

Table B-22 lists the Microsoft SQL Server system management event attributes.

Table B-22 SQL Server System Management Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.13 Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations. The Uncategorized Activity Report, described in Section 3.3.4.4, uses these events.

Table B-23 shows the Microsoft SQL Server unknown or uncategorized source database event and the equivalent Oracle Audit Vault event.

Table B-23 SQL Server Unknown or Uncategorized Event Attributes

Event Name Description	Source Event	Audit Vault Event
`User Configurable (0-9)`	`USER CONFIGURABLE`	`USER CONFIGURABLE`
`SQL Statement Completed Event`	`SQL:StmtCompleted`	`SQL EXECUTION`

Table B-24 lists the Microsoft SQL Server unknown or uncategorized event attributes.

Table B-24 SQL Server Unknown or Uncategorized Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`

B.14 User Session Events

User session events track audited authentication events for users who log in to the database. The User Sessions Report, described in Section 3.3.2.7, uses these events.

Table B-25 lists the Microsoft SQL Server user session source database events and the equivalent Oracle Audit Vault events.

Table B-25 SQL Server User Session Audit Events

Event Name Description	Source Event	Audit Vault Event
`Audit Broker Login`	`BROKER LOGIN:AUTHENTICATION FAILURE` `BROKER LOGIN:LOGIN SUCCESS` `BROKER LOGIN:LOGIN PROTOCOL ERROR` `BROKER LOGIN:MESSAGE FORMAT ERROR` `BROKER LOGIN:NEGOTIATE FAILURE`	`LOGON` `LOGON` `LOGON` `LOGON` `LOGON`
`Audit Database Mirroring Login Event`	`DATABASE MIRRORING LOGIN:LOGIN SUCCESS` `DATABASE MIRRORING LOGIN:LOGIN PROTOCOL ERROR` `DATABASE MIRRORING LOGIN:MESSAGE FORMAT ERROR` `DATABASE MIRRORING LOGIN:NEGOTIATE FAILURE` `DATABASE MIRRORING LOGIN:AUTHENTICATION FAILURE` `DATABASE MIRRORING LOGIN:AUTHORIZATION FAILURE`	`LOGON`
`Audit Database Operation Event`	`DATABASE OPERATION:CHECKPOINT`	`SAVEPOINT`
`Audit Database Principal Impersonation Event`	`DATABASE PRINCIPAL IMPERSONATION`	`IMPERSONATION`
`Audit Login`	`AUDIT LOGIN:LOGIN`	`LOGON`
`Audit Login Event`	`AUDIT LOGIN EVENT:LOGIN`	`LOGON`
`Audit Login Failed`	`AUDIT LOGIN FAILED:LOGIN FAILED`	`LOGON`
`Audit Login Failed Event`	`AUDIT LOGIN FAILED EVENT:LOGIN FAILED`	`LOGON`
`Audit Logout`	`AUDIT LOGOUT:LOGOUT`	`LOGOFF`
`Audit Logout Event`	`AUDIT LOGOUT EVENT:LOGOUT`	`LOGOUT`
`Audit Server Principal Impersonation Event`	`SERVER PRINCIPAL IMPERSONATION`	`IMPERSONATION`
`SQL Transaction`	`SQL TRANSACTION:COMMIT` `SQL TRANSACTION:ROLLBACK` `SQL TRANSACTION:SAVEPOINT`	`COMMIT` `ROLLBACK` `SAVEPOINT`

Table B-26 lists the Microsoft SQL Server user session event attributes.

Table B-26 SQL Server User Session Event Attributes

Attribute Name	Data Type
`ADDL_INFO`	`VARCHAR2(4000)`
`AUTHENTICATION_METHOD`	`VARCHAR2(255)`
`COLUMN_PERMISSIONS`	`NUMBER`
`CONTEXTID`	`VARCHAR2(4000)`
`CPU`	`NUMBER`
`DATABASE_ID`	`NUMBER`
`DATABASE_NAME`	`VARCHAR2(4000)`
`DBUSER_NAME`	`VARCHAR2(4000)`
`DURATION`	`NUMBER`
`END_TIME`	`TIMESTAMP`
`ENDUSER`	`VARCHAR2(4000)`
`EVENT_SEQUENCE`	`NUMBER`
`EVENT_STATUS`	`VARCHAR2(30)`
`EVENT_SUB_CLASS`	`NUMBER`
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`
`GUID`	`NUMBER`
`HOST_IP`	`VARCHAR2(255)`
`HOST_NAME`	`VARCHAR2(255)`
`HOST_TERMINAL`	`VARCHAR2(255)`
`INDEX_ID`	`NUMBER`
`IS_SYSTEM`	`NUMBER`
`LINKED_SERVER_NAME`	`VARCHAR2(4000)`
`LOGIN_SID`	`VARCHAR2(4000)`
`OBJECT_ID`	`NUMBER`
`OBJECT_ID2`	`NUMBER`
`OSUSER_NAME`	`VARCHAR2(4000)`
`OWNER_ID`	`NUMBER`
`PARENT_CONTEXTID`	`VARCHAR2(4000)`
`PRIVILEGES_USED`	`VARCHAR2(4000)`
`PROCESS#`	`NUMBER`
`SERVER_NAME`	`VARCHAR2(4000)`
`SESSION_LOGIN_NAME`	`VARCHAR2(4000)`
`SOURCE_DATABASE_ID`	`NUMBER`
`SOURCE_EVENTID`	`VARCHAR2(255)`
`SUB_CONTEXTID`	`VARCHAR2(4000)`
`TARGET_LOGIN_NAME`	`VARCHAR2(4000)`
`TARGET_LOGIN_SID`	`VARCHAR2(4000)`
`TARGET_OBJECT`	`VARCHAR2(4000)`
`TARGET_OBJECT_TYPE`	`VARCHAR2(4000)`
`TARGET_OWNER`	`VARCHAR2(4000)`
`TEXT_DATA`	`VARCHAR2(4000)`
`THREAD#`	`NUMBER`
`TOOLS_USED`	`VARCHAR2(4000)`
`USERNAME`	`VARCHAR2(4000)`