SQL Audit Events map server-level, database-level groups of events and individual events. The Audit action items can be individual actions such as SELECT operations on a Table, or a group of actions such as SERVER_PERMISSION_CHANGE_GROUP.
SQL Audit Events track the following three categories of Events:
Server Level: These actions include server operations, such as management changes, and logon and logoff operations.
Database Level: These actions include data manipulation languages (DML) and Data Definition Language (DDL).
Audit Level: These actions include actions in the auditing process.
| Source Event | Event Description | command_class | target_type |
|---|---|---|---|
|
|
Database Role Member Change Group |
|
Any from List 1 |
|
|
Backup Log |
|
Any from List 1 |
|
|
Alter Resources |
|
Any from List 1 |
|
|
Delete |
|
Any from List 1 |
|
|
Broker Login |
|
Any from List 1 |
|
|
Logout Group |
|
Any from List 1 |
|
|
Must Change Password |
|
Any from List 1 |
|
|
Drop Member |
|
Any from List 1 |
|
|
Deny |
|
Any from List 1 |
|
|
Send |
|
Any from List 1 |
|
|
Select |
|
Any from List 1 |
|
|
Server Continue |
|
Any from List 1 |
|
|
Server Operation Group |
|
Any from List 1 |
|
|
Insert |
|
Any from List 1 |
|
|
Execute |
|
Any from List 1 |
|
|
Show Plan |
|
Any from List 1 |
|
|
Successful Login Group |
|
Any from List 1 |
|
|
Server Role Member Change Group |
|
Any from List 1 |
|
|
Alter Trace |
|
Any from List 1 |
|
|
Credential Map to Login |
|
Any from List 1 |
|
|
Full Text |
|
Any from List 1 |
|
|
Trace Audit C2On |
|
Any from List 1 |
|
|
Bulk Admin |
|
Any from List 1 |
|
|
Trace Audit C2Off |
|
Any from List 1 |
|
|
View Server State |
|
Any from List 1 |
|
|
Schema Object Access Group |
|
Any from List 1 |
|
|
Alter Connection |
|
Any from List 1 |
|
|
Alter Settings |
|
Any from List 1 |
|
|
Alter Server State |
|
Any from List 1 |
|
|
External Access Assembly |
|
Any from List 1 |
|
|
Open |
|
Any from List 1 |
|
|
Audit Shutdown On Failure |
|
Any from List 1 |
|
|
Audit Session Changed |
|
Any from List 1 |
|
|
Backup Restore Group |
|
Any from List 1 |
|
|
Server Object Ownership Change Group |
|
Any from List 1 |
|
|
Authenticate |
|
Any from List 1 |
|
|
Database Ownership Change Group |
|
Any from List 1 |
|
|
References |
|
Any from List 1 |
|
|
Server Started |
|
Any from List 1 |
|
|
Database Object Ownership Change Group |
|
Any from List 1 |
|
|
Schema Object Permission Change Group |
|
Any from List 1 |
|
|
Impersonate |
|
Any from List 1 |
|
|
Create |
|
Any from List 1 |
|
|
Server State Change Group |
|
Any from List 1 |
|
|
Take Ownership |
|
Any from List 1 |
|
|
Transfer |
|
Any from List 1 |
|
|
Change Users Login Auto |
|
Any from List 1 |
|
|
Add Member |
|
Any from List 1 |
|
|
View ChangeTracking |
|
Any from List 1 |
|
|
Login Failed |
|
Any from List 1 |
|
|
Database Principal Change Group |
|
Any from List 1 |
|
|
Database Object Change Group |
|
Any from List 1 |
|
|
Database Mirroring Login Group |
|
Any from List 1 |
|
|
Alter |
|
Any from List 1 |
|
|
Password Expiration |
|
Any from List 1 |
|
|
Update |
|
Any from List 1 |
|
|
Name Change |
|
Any from List 1 |
|
|
Logout |
|
Any from List 1 |
|
|
Login Succeeded |
|
Any from List 1 |
|
|
Database Change Group |
|
Any from List 1 |
|
|
Login Change Password Group |
|
Any from List 1 |
|
|
Reset Own Password |
|
Any from List 1 |
|
|
Change Users Login |
|
Any from List 1 |
|
|
Trace Change Group |
|
Any from List 1 |
|
|
Failed Login Group |
|
Any from List 1 |
|
|
Trace Audit Stop |
|
Any from List 1 |
|
|
Revoke |
|
Any from List 1 |
|
|
Change Own Password |
|
Any from List 1 |
|
|
Change Login Credential |
|
Any from List 1 |
|
|
Receive |
|
Any from List 1 |
|
|
Audit Change Group |
|
Any from List 1 |
|
|
Change Default Language |
|
Any from List 1 |
|
|
Change Password |
|
Any from List 1 |
|
|
Restore |
|
Any from List 1 |
|
|
Database Mirroring Login |
|
Any from List 1 |
|
|
Revoke with Cascade |
|
Any from List 1 |
|
|
Drop |
|
Any from List 1 |
|
|
Server Object Change Group |
|
Any from List 1 |
|
|
View Database State |
|
Any from List 1 |
|
|
Server Principal Change Group |
|
Any from List 1 |
|
|
Unlock Account |
|
Any from List 1 |
|
|
Fulltext Group |
|
Any from List 1 |
|
|
Enable |
|
Any from List 1 |
|
|
Password Policy |
|
Any from List 1 |
|
|
Revoke With Grant |
|
Any from List 1 |
|
|
Database Principal Impersonation Group |
|
Any from List 1 |
|
|
Reset Password |
|
Any from List 1 |
|
|
Subscribe Query Notification |
|
Any from List 1 |
|
|
Server Principal Impersonation Group |
|
Any from List 1 |
|
|
Application Role Change Password Group |
|
Any from List 1 |
|
|
Trace Audit Start |
|
Any from List 1 |
|
|
Database Object Permission Change Group |
|
Any from List 1 |
|
|
Server Paused |
|
Any from List 1 |
|
|
Database Operation Group |
|
Any from List 1 |
|
|
Access |
|
Any from List 1 |
|
|
Database Permission Change Group |
|
Any from List 1 |
|
|
Unsafe Assembly |
|
Any from List 1 |
|
|
Deny with Cascade |
|
Any from List 1 |
|
|
DBCC Group |
|
Any from List 1 |
|
|
Broker Login Group |
|
Any from List 1 |
|
|
Checkpoint |
|
Any from List 1 |
|
|
Server Shutdown |
|
Any from List 1 |
|
|
No Credential Map to Login |
|
Any from List 1 |
|
|
Schema Object Change Group |
|
Any from List 1 |
|
|
Connect |
|
Any from List 1 |
|
|
Grant with Grant |
|
Any from List 1 |
|
|
Change Default Database |
|
Any from List 1 |
|
|
Disable |
|
Any from List 1 |
|
|
Schema Object Ownership Change Group |
|
Any from List 1 |
|
|
Grant |
|
Any from List 1 |
|
|
Server Permission Change Group |
|
Any from List 1 |
|
|
Server Object Permission Change Group |
|
Any from List 1 |
|
|
Database Object Access Group |
|
Any from List 1 |
|
|
DBCC |
|
Any from List 1 |
|
|
Backup |
|
Any from List 1 |
Event Log Events help you audit server-level, database-level and individual events. These events consist of zero or more audit action items which can be either a group of actions (DATABASE_MIRRORING_LOGIN_GROUP) or individual actions (SELECT or REVOKE).
The Event Log Events track the following three categories of events.
Server Level: These actions include server operations such as management changes, and logon and logoff operations.
Database Level: These actions include data manipulation (DML) languages and Data Definition Language (DDL).
Audit Level: These actions include actions in the auditing process.
| Source Events | Event Description | command_class | target_types |
|---|---|---|---|
|
|
OP Alter Trace: Stop |
|
|
|
|
OP Alter Trace: Start (Event ID: 19033) |
|
|
|
|
OP Alter Trace: Start (Event ID: 19034) |
|
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18450) |
|
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18451) |
|
|
|
|
Login Failed: Untrusted Domain |
|
|
|
|
Login Succeeded: Trusted |
|
|
|
|
Login Succeeded: Non-Trusted |
|
|
|
|
Login Succeeded |
|
|
|
|
Login Failed |
|
|
|
|
Login Failed: Illegal User Name |
|
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
|
Login Failed: Workstation Licensing Limit |
|
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
|
Login Failed: Server in Single User Mode |
|
|
|
|
Login Failed: Account Disabled |
|
|
|
|
Login Failed: Account Locked |
|
|
|
|
Login Failed: Password Expired |
|
|
|
|
Login Failed: Password Must Be Changed |
|
|
|
|
OP Error: Server Shut Down |
|
|
|
|
OP Error: Mirroring Error |
|
|
|
|
OP Error: Stack Over Flow |
|
|
|
|
OP Error: Commit |
|
|
|
|
OP Error: Rollback |
|
|
|
|
OP Error: DB Offline |
|
|
|
|
OP Error: Process Violation |
|
|
|
|
OP Error: Restore Failed |
|
|
|
|
OP Error: Recover |
|
|
|
|
OP Error: .NET Fatal Error |
|
|
|
|
OP Error: .NET User Code |
|
|
|
|
Notification Service |
|
|
|
|
Password Policy Update Successful |
|
|
|
|
OP Modify: Start |
|
|
|
|
OP Modify: Stop |
|
|
Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.
| Possible Target Types | Class_Type |
|---|---|
CONSTRAINT |
F |
DATABASE |
DT |
DATABASE |
DN |
KEY |
DK |
CONSTRAINT |
UQ |
USER |
US |
CATALOG |
FC |
ENDPOINT |
EP |
NOTIFICATION |
EN |
VIEW |
V |
TYPE |
TY |
TREE |
XR |
FUNCTION |
FS |
FUNCTION |
FT |
FUNCTION |
FN |
STOPLIST |
FL |
USER |
WU |
GROUP |
WG |
USER |
WL |
STORED PROCEDURE |
X |
USER |
GU |
RESOURCE |
RG |
FILTER |
RF |
ROLE |
RL |
TABLE |
S |
ASSEMBLY |
AS |
ROLE |
AR |
QUERY |
AQ |
USER |
AU |
CONSTRAINT |
C |
QUERY |
PQ |
BROKER PRIORITY |
PR |
PARTITION |
PS |
AGGREGATE |
AF |
KEY |
AK |
USER |
AL |
RULE |
R |
| Undocumented | AP |
FUNCTION |
TF |
DEFAULT |
D |
TRIGGER |
TR |
USER |
SU |
SERVICE |
SV |
STATISTICS |
ST |
SCHEMA |
SX |
SERVICE |
BN |
TABLE |
U |
ASSEMBLY |
TA |
SERVER |
SD |
SCHEMA |
SC |
SESSION |
SE |
ROLE |
SG |
USER |
CU |
CONTRACT |
CT |
USER |
SL |
DATABASE |
DB |
KEY |
SK |
AUDIT SPECIFICATION |
DA |
SYNONYM |
SN |
SERVER |
SR |
QUEUE |
SQ |
ROUTE |
RT |
CREDENTIAL |
CD |
CERTIFICATE |
CR |
SERVER |
CO |
PROVIDER |
CP |
SERVER |
T |
AUDIT SPECIFICATION |
SA |
USER |
CL |
USER |
LX |
KEY |
MK |
MESSAGE |
MT |
OBJECT |
ON |
OBJECT |
OB |
STORED PROCEDURE |
P |
PRIMARY KEY |
PK |
FUNCTION |
PF |
ASSEMBLY |
PC |
SERVER AUDIT |
A |
FUNCTION |
IF |
FUNCTION |
IS |
TABLE |
IT |
INDEX |
IX |