This appendix maps audit event names used in the SQL Server database to their equivalent values in the command_class and target_type fields in the Oracle AVDF audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools. See also "Oracle Audit Vault and Database Firewall Database Schemas" for Oracle AVDF data warehouse details that may be useful in designing your own reports.
Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords.
Table E-1 lists the Microsoft SQL Server account management events and the equivalent Oracle AVDF events.
Table E-1 SQL Server Account Management Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit AddLogin Event |
|
|
|
Audit Database Principal Management Event |
|
Any from List 1 |
|
Audit Login Change Password Event |
|
Any from List 1 |
|
Audit Login Change Property Event |
|
Any from List 1 |
|
Audit Server Object Management Event |
|
|
|
Audit Server Principal Management Event |
|
Any from List 1 Any from List 1 Any from List 1 |
Application management events track actions that were performed on the underlying SQL statements, such as creating objects.
Table E-2 lists the Microsoft SQL Server application management events and the equivalent Oracle AVDF events.
Table E-2 SQL Server Application Management Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Database Object Take Ownership Event |
|
Any from List 1 |
|
Audit Schema Object Take Ownership Event |
|
Any from List 1 |
|
Audit Server Object Take Ownership Event |
|
Any from List 1 |
|
Object:Created Object:Deleted |
|
Any from List 1 |
|
Object:Deleted |
|
Any from List 1 |
Audit command events track the use of audit events, such as altering trace events. Table E-3 lists the Microsoft SQL Server audit command events and the equivalent Oracle AVDF events.
Table E-3 SQL Server Audit Command Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Change Audit Event |
|
Any from List 1 |
|
Audit Server Alter Trace Event |
|
|
|
ExistingConnection |
|
Any from List 1 |
Table E-4 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.
The data access event tracks SQL transactions. The Data Access Report, described in "Data Access Report", uses these events.
Table E-5 shows the Microsoft SQL Server data access source event and the equivalent Oracle AVDF event.
Exception events track audited error and exception activity, such as background job errors. Table E-6 lists the Microsoft SQL Server exception events and the equivalent Oracle AVDF events.
Table E-6 SQL Server Exception Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Background Job Error |
|
Any from List 1 |
|
Blocked Process Report |
|
Any from List 1 |
Table E-7 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.
Table E-7 SQL Server Exception Events Logged in the Windows Event Viewer
Source Event | Severity | command_class | target_type |
---|---|---|---|
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
|
|
|
Any from List 1 |
Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record. These events do not have any event names; they only contain event attributes.
Object management events track audited actions performed on database objects, such as altering an object. Table E-8 lists the Microsoft SQL Server object management events and the equivalent Oracle AVDF events.
Table E-8 SQL Server Object Management Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Database Object Access Event |
|
Any from List 1 |
|
Audit Database Object Management Event |
|
Any from List 1 |
|
Audit Database Object Take Ownership Event |
|
Any from List 1 |
|
Audit Database Principal Management Event |
|
Any from List 1 |
|
Audit Schema Object Access Event |
|
Any from List 1 |
|
Audit Schema Object Management Event |
DROP
|
Any from List 1 |
|
Audit Schema Object Take Ownership Event |
|
Any from List 1 |
|
Audit Server Object Take Ownership Event |
|
Any from List 1 |
|
Lock:Deadlock |
|
Any from List 1 |
|
Lock:Deadlock Chain |
|
Any from List 1 |
|
Object:Altered |
|
Any from List 1 |
|
Object:Created |
|
Any from List 1 |
|
Object:Deleted |
|
Any from List 1 |
Peer association events track database link statements. These events do not have any event names; they only contain event attributes.
Role and privilege management events track audited role and privilege management activity, such as granting a user access permission.
Table E-9 lists the Microsoft SQL Server role and privilege management events and the equivalent Oracle AVDF events.
Table E-9 SQL Server Role and Privilege Management Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Add DB User Event |
|
|
|
Audit Add Login to Server Role Event |
|
|
|
Audit Add Member to DB Role Event |
|
|
|
Audit Add Role Event |
|
|
|
Audit App Role Change Password Event |
|
Any from List 1 |
|
Audit Database Object GDR Event |
|
Any from List 1 |
|
Audit Database Principal Management Event |
|
Any from List 1 |
|
Audit Login GDR Event |
|
Any from List 1 |
|
Audit Object Derived Permission Event |
|
Any from List 1 |
|
Audit Schema Object GDR Event |
|
|
|
Audit Object Derived Permission Event |
|
Any from List 1 |
|
Audit Server Object GDR Event |
|
Any from List 1 |
|
Audit Server Scope GDR Event |
|
Any from List 1 |
|
Audit Database Scope GDR Event |
|
Any from List 1 |
|
Audit Statement Permission Event |
|
Any from List 1 |
Service and application utilization events track audited application access activity.
Table E-10 lists the Microsoft SQL Server service and application utilization events and the equivalent Oracle AVDF events.
Table E-10 SQL Server Service and Application Utilization Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Broker Conversation |
|
Any from List 1 |
|
Broker:Message Undeliverable Broker:Message Undeliverable Broker:Corrupted Message |
|
Any from List 1 |
|
Broker:Activation - The activation stored procedure exited with an error. |
|
Any from List 1 |
|
Broker:Queue Disabled |
|
Any from List 1 |
System management events track audited system management activity, such as backup and restore operations. Table E-11 lists the Microsoft SQL Server system management events and the equivalent Oracle AVDF events.
Table E-11 SQL Server System Management Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Add DB User Event |
|
|
|
Audit Backup/Restore Event |
|
Any from List 1 |
|
Audit Change Database Owner |
|
Any from List 1 |
|
Audit Database Management Event |
|
Any from List 1 |
|
Audit Database Object Management Event |
|
Any from List 1 |
|
Audit Database Operation Event |
|
Any from List 1 |
|
Audit Database Principal Management Event |
|
Any from List 1 |
|
Audit DBCC Event |
|
Any from List 1 |
|
Audit Schema Object Management Event |
|
Any from List 1 |
|
Audit Server Object Management Event |
|
Any from List 1 Any from List 1 |
|
Audit Server Operation Event |
UPDATE UPDATE
UPDATE UPDATE |
Any from List 1 |
|
Audit Server Principal Management Event |
|
Any from List 1 |
|
Audit Server Starts and Stops |
|
Any from List 1 |
|
Audit Server Starts and Stops Event |
|
Any from List 1 |
|
Database Mirroring State Change |
UPDATE |
Any from List 1 |
|
Database Mirroring Connection |
|
|
|
Mount Tape |
|
Any from List 1 |
Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations.
Table E-12 Uncategorised Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Attention |
|
Any from List 1 |
|
ErrorLog |
|
Any from List 1 |
|
Exception |
|
Any from List 1 |
|
OLEDB Errors |
|
Any from List 1 |
|
Execution warnings |
|
|
|
Execution warnings |
|
|
|
Sort Warnings |
|
|
|
Sort Warnings |
|
|
|
Missing Column Statistics |
|
Any from List 1 |
|
Missing Join Predicate |
|
Any from List 1 |
|
Server Memory Change |
|
|
|
Server Memory Change |
|
|
|
User Error Message |
|
Any from List 1 |
|
Bitmap Warning |
|
|
|
Trace Start |
|
Any from List 1 |
|
Trace Stop |
|
Any from List 1 |
|
SQL:Stmt Completed Event |
|
Any from List 1 |
|
Audit DBCC Event |
|
Any from List 1 |
|
Audit Server Operation Event |
|
Any from List 1 |
|
Lock:Deadlock Chain |
|
Any from List 1 |
|
User Configurable (Event ID:82) |
|
Any from List 1 |
|
User Configurable (Event ID:83) |
|
Any from List 1 |
|
User Configurable (Event ID:84) |
|
Any from List 1 |
|
User Configurable (Event ID:85) |
|
Any from List 1 |
|
User Configurable (Event ID:86) |
|
Any from List 1 |
|
User Configurable (Event ID:87) |
|
Any from List 1 |
|
User Configurable (Event ID:88) |
|
Any from List 1 |
|
User Configurable (Event ID:89) |
|
Any from List 1 |
|
User Configurable (Event ID:90) |
|
Any from List 1 |
|
User Configurable (Event ID:91) |
|
Any from List 1 |
NOTIFICATION SERVICE |
Notification Service |
RAISE |
|
|
Password Policy |
UPDATE |
|
User session events track audited authentication events for users who log in to the database.
Table E-13 lists the Microsoft SQL Server user session events and the equivalent Oracle AVDF events.
Table E-13 SQL Server User Session Audit Events
Source Event | Event Description | command_class | target_type |
---|---|---|---|
|
Audit Broker Login |
|
Any from List 1 |
|
Audit Database Mirroring Login Event |
|
Any from List 1 |
|
Audit Database Operation Event |
|
Any from List 1 |
|
Audit Database Principal Impersonation Event |
|
Any from List 1 |
|
Audit Login Audit Login Audit Login Failed Audit Logout Audit Logout Login Failed Event Login Failed Event |
|
Any from List 1
|
|
Audit Server Principal Impersonation Event |
|
Any from List 1 |
|
SQL Transaction |
|
Any from List 1 |
Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.
Possible Target Types |
---|
INDEX |
PROCEDURE |
TRIGGER |
TABLE |
VIEW |
CONSTRAINT |
DEFAULT |
RULE |
DATABASE |
OBJECT |
CATALOG |
SCHEMA |
CREDENTIAL |
EVENT |
FUNCTION |
ROLE |
GROUP |
KEY |
LOGIN |
REMOTE SERVICE BINDING |
NOTIFICATION |
SYNONYM |
SEQUENCE |
END POINT |
QUEUE |
CERTIFICATE |
SERVER |
ASSEMBLY |
PARTITION SCHEME |
USER |
SERVICE BROKER SERVICE CONTRACT |
TYPE |
SERVICE BROKER ROUTE |
STATISTICS |
SERVICE BROKER SERVICE |
CERTIFICATE LOGIN |
QUERY |