E Microsoft SQL Server SQL Trace Audit Events

Topics

About the Microsoft SQL Server Audit Events
Account Management Events
Application Management Events
Audit Command Events
Data Access Events
Exception Events
Invalid Record Events
Object Management Events
Peer Association Events
Role and Privilege Management Events
Service and Application Utilization Events
System Management Events
Unknown or Uncategorized Events
User Session Events
Target Type Values

About the Mic rosoft SQL Server Audit Events

This appendix maps audit event names used in the SQL Server database to their equivalent values in the command_class and target_type fields in the Oracle AVDF audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools. See also "Oracle Audit Vault and Database Firewall Database Schemas" for Oracle AVDF data warehouse details that may be useful in designing your own reports.

Account Management Events

Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords.

Table E-1 lists the Microsoft SQL Server account management events and the equivalent Oracle AVDF events.

Table E-1 SQL Server Account Management Events

Source Event Event Description command_class target_type

Source Event	Event Description	command_class	target_type
`ADDLOGIN:ADD` `ADDLOGIN:DROP`	Audit AddLogin Event	`CREATE` `DROP`	`USER` `USER`
`DATABASE PRINCIPAL MANAGEMENT:ALTER: USER` `DATABASE PRINCIPAL MANAGEMENT:CREATE: USER` `DATABASE PRINCIPAL MANAGEMENT:DROP: USER`	Audit Database Principal Management Event	`ALTER` `CREATE` `DROP`	Any from List 1
`LOGIN CHANGE PASSWORD:PASSWORD CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE` `LOGIN CHANGE PASSWORD:PASSWORD RESET` `LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD SELF RESET` `LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED`	Audit Login Change Password Event	`ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER`	Any from List 1
`LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED` `LOGIN CHANGE PROPERTY:EXPIRATION CHANGED` `LOGIN CHANGE PROPERTY:NAME CHANGED` `LOGIN CHANGE PROPERTY:POLICY CHANGED`	Audit Login Change Property Event	`ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER`	Any from List 1
`SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED` `SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN`	Audit Server Object Management Event	`ALTER` `ALTER`	`USER` `USER`
`SERVER PRINCIPAL MANAGEMENT:CREATE` `SERVER PRINCIPAL MANAGEMENT:ALTER` `SERVER PRINCIPAL MANAGEMENT:DROP` `SERVER PRINCIPAL MANAGEMENT:DISABLE` `SERVER PRINCIPAL MANAGEMENT:ENABLE`	Audit Server Principal Management Event	`ALTER` `CREATE` `DISABLE` `DROP` `ENABLE`	`USER` `USER` Any from List 1 Any from List 1 Any from List 1

ADDLOGIN:ADD

ADDLOGIN:DROP

Audit AddLogin Event

CREATE

DROP

USER

DATABASE PRINCIPAL MANAGEMENT:ALTER: USER

DATABASE PRINCIPAL MANAGEMENT:CREATE: USER

DATABASE PRINCIPAL MANAGEMENT:DROP: USER

Audit Database Principal Management Event

ALTER

CREATE

DROP

Any from List 1

LOGIN CHANGE PASSWORD:PASSWORD CHANGED

LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE

LOGIN CHANGE PASSWORD:PASSWORD RESET

LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED

LOGIN CHANGE PASSWORD:PASSWORD SELF RESET

LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED

Audit Login Change Password Event

ALTER

Any from List 1

LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED

LOGIN CHANGE PROPERTY:DEFAULT DATABASE

LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED

LOGIN CHANGE PROPERTY:EXPIRATION CHANGED

LOGIN CHANGE PROPERTY:NAME CHANGED

LOGIN CHANGE PROPERTY:POLICY CHANGED

Audit Login Change Property Event

ALTER

Any from List 1

SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED

SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN

Audit Server Object Management Event

ALTER

USER

SERVER PRINCIPAL MANAGEMENT:CREATE

SERVER PRINCIPAL MANAGEMENT:ALTER

SERVER PRINCIPAL MANAGEMENT:DROP

SERVER PRINCIPAL MANAGEMENT:DISABLE

SERVER PRINCIPAL MANAGEMENT:ENABLE

Audit Server Principal Management Event

ALTER

CREATE

DISABLE

DROP

ENABLE

USER

Any from List 1

Application Management Events

Application management events track actions that were performed on the underlying SQL statements, such as creating objects.

Table E-2 lists the Microsoft SQL Server application management events and the equivalent Oracle AVDF events.

Table E-2 SQL Server Application Management Audit Events

Source Event	Event Description	command_class	target_type
`DATABASE OBJECT TAKE OWNERSHIP`	Audit Database Object Take Ownership Event	`ALTER`	Any from List 1
`SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: PROCEDURE` `SCHEMA OBJECT TAKE OWNERSHIP: TYPE` `SCHEMA OBJECT TAKE OWNERSHIP: TRIGGER`	Audit Schema Object Take Ownership Event	`ALTER` `ALTER` `ALTER` `ALTER`	Any from List 1
`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	Audit Server Object Take Ownership Event	`ALTER`	Any from List 1
`OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:BEGIN` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:ROLLBACK` `OBJECT:DELETED:BEGIN`	Object:Created Object:Deleted	`CREATE` `CREATE` `CREATE` `COMMIT` `ROLLBACK` `DROP`	Any from List 1
`OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:TRIGGER`	Object:Deleted	`DROP` `DROP`	Any from List 1

Audit Command Events

Audit command events track the use of audit events, such as altering trace events. Table E-3 lists the Microsoft SQL Server audit command events and the equivalent Oracle AVDF events.

Table E-3 SQL Server Audit Command Audit Events

Source Event Event Description command_class target_type

Source Event	Event Description	command_class	target_type
`CHANGE:AUDIT STARTED` `CHANGE:AUDIT STOPPED` `CHANGE:C2 MODE ON` `CHANGE:C2 MODE OFF` `CHANGE:AUDIT STOPPED` `CHANGE:NEW AUDIT STARTED`	Audit Change Audit Event	`AUDIT` `NOAUDIT` `AUDIT` `NOAUDIT` `SYSTEM` `SYSTEM`	Any from List 1
`SERVER ALTER TRACE`	Audit Server Alter Trace Event	`ALTER`	`TRACE`
`EXISTINGCONNECTION`	ExistingConnection	`EXISTING`	Any from List 1

CHANGE:AUDIT STARTED

CHANGE:AUDIT STOPPED

CHANGE:C2 MODE ON

CHANGE:C2 MODE OFF

CHANGE:AUDIT STOPPED

CHANGE:NEW AUDIT STARTED

Audit Change Audit Event

AUDIT

NOAUDIT

AUDIT

NOAUDIT

SYSTEM

Any from List 1

SERVER ALTER TRACE

Audit Server Alter Trace Event

ALTER

TRACE

EXISTINGCONNECTION

ExistingConnection

EXISTING

Any from List 1

Table E-4 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.

Table E-4 SQL Server Audit Command Events Logged in Windows Event Viewer

Source Event	Severity
`OP ALTER TRACE: START`	`10`
`OP ALTER TRACE: STOP`	`10`

Data Access Events

The data access event tracks SQL transactions. The Data Access Report, described in "Data Access Report", uses these events.

Table E-5 shows the Microsoft SQL Server data access source event and the equivalent Oracle AVDF event.

Table E-5 SQL Server Data Access Audit Event

Source Event	Event Description	command_class	target_type
`SQL TRANSACTION:BEGIN`	SQL Transaction	`TRANSACTION MANAGEMENT`	`TRANSACTION`

Exception Events

Exception events track audited error and exception activity, such as background job errors. Table E-6 lists the Microsoft SQL Server exception events and the equivalent Oracle AVDF events.

Table E-6 SQL Server Exception Audit Events

Source Event Event Description command_class target_type

Source Event	Event Description	command_class	target_type
`BACKGROUND JOB ERROR:BACKGROUND JOB GIVING UP AFTER FAILURE` `BACKGROUND JOB ERROR:BACKGROUND JOB DROPPED - QUEUE IS FULL` `BACKGROUND JOB ERROR:BACKGROUND JOB RETURNED AN ERROR`	Background Job Error	`RAISE` `RAISE` `RAISE`	Any from List 1
`BLOCKED PROCESS REPORT`	Blocked Process Report	`RAISE`	Any from List 1

BACKGROUND JOB ERROR:BACKGROUND JOB GIVING UP AFTER FAILURE

BACKGROUND JOB ERROR:BACKGROUND JOB DROPPED - QUEUE IS FULL

BACKGROUND JOB ERROR:BACKGROUND JOB RETURNED AN ERROR

Background Job Error

RAISE

Any from List 1

BLOCKED PROCESS REPORT

Blocked Process Report

RAISE

Any from List 1

Table E-7 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.

Table E-7 SQL Server Exception Events Logged in the Windows Event Viewer

Source Event	Severity	command_class	target_type
`OP ERROR: COMMIT`	`10`	`ERROR`	Any from List 1
`OP ERROR: DB OFFLINE`	`10`	`ERROR`	Any from List 1
`OP ERROR: MIRRORING ERROR`	`16`	`ERROR`	Any from List 1
`OP ERROR: .NET FATAL ERROR`	`16`	`ERROR`	Any from List 1
`OP ERROR: .NET USER CODE`	`16`	`ERROR`	Any from List 1
`OP ERROR: PROCESS VIOLATION`	`16`	`ERROR`	Any from List 1
`OP ERROR: RECOVER`	`21`	`ERROR`	Any from List 1
`OP ERROR: RESTORE FAILED`	`21`	`ERROR`	Any from List 1
`OP ERROR: ROLLBACK`	`10`	`ERROR`	Any from List 1
`OP ERROR: SERVER SHUT DOWN`	`21`	`ERROR`	Any from List 1
`OP ERROR: STACK OVER FLOW`	`16`	`ERROR`	Any from List 1

Invalid Record Events

Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record. These events do not have any event names; they only contain event attributes.

Object Management Events

Object management events track audited actions performed on database objects, such as altering an object. Table E-8 lists the Microsoft SQL Server object management events and the equivalent Oracle AVDF events.

Table E-8 SQL Server Object Management Audit Events

Source Event	Event Description	command_class	target_type
`DATABASE OBJECT ACCESS`	Audit Database Object Access Event	`ACCESS`	Any from List 1
`DATABASE OBJECT MANAGEMENT:ACCESS`	Audit Database Object Management Event	`ACCESS`	Any from List 1
`DATABASE OBJECT TAKE OWNERSHIP: OBJECT` `DATABASE OBJECT TAKE OWNERSHIP: SCHEMA`	Audit Database Object Take Ownership Event	`ALTER` `ALTER`	Any from List 1
`DATABASE PRINCIPAL MANAGEMENT:CREATE` `DATABASE PRINCIPAL MANAGEMENT:ALTER` `DATABASE PRINCIPAL MANAGEMENT:DROP`	Audit Database Principal Management Event	`CREATE` `ALTER` `DROP`	Any from List 1
`SCHEMA OBJECT ACCESS`	Audit Schema Object Access Event	`ACCESS`	Any from List 1
`SCHEMA OBJECT MANAGEMENT:CREATE` `SCHEMA OBJECT MANAGEMENT:ALTER` `SCHEMA OBJECT MANAGEMENT:DROP` `SCHEMA OBJECT MANAGEMENT:TRANSFER`	Audit Schema Object Management Event	`CREATE` `ALTER` DROP `TRANSFER`	Any from List 1
`SCHEMA OBJECT TAKE OWNERSHIP: INDEX` `SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: TABLE`	Audit Schema Object Take Ownership Event	`ALTER` `ALTER` `ALTER`	Any from List 1
`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	Audit Server Object Take Ownership Event	`ALTER`	Any from List 1
`LOCK:DEADLOCK`	Lock:Deadlock	`DEADLOCK`	Any from List 1
`LOCK:DEADLOCK CHAIN` `LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`	Lock:Deadlock Chain	`DEADLOCK` `DEADLOCK`	Any from List 1
`OBJECT:ALTERED` `OBJECT:ALTERED:COMMIT` `OBJECT:ALTERED:INDEX` `OBJECT:ALTERED:PROCEDURE` `OBJECT:ALTERED:ROLLBACK` `OBJECT:ALTERED:TABLE` `OBJECT:ALTERED:TRIGGER` `OBJECT:ALTERED:TYPE` `OBJECT:ALTERED:BEGIN`	Object:Altered	`ALTER` `COMMIT` `ALTER` `ALTER` `ROLLBACK` `ALTER` `ALTER` `ALTER` `ALTER`	Any from List 1
`OBJECT:CREATED` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:INDEX` `OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:ROLLBACK` `OBJECT:CREATED:SCHEMA` `OBJECT:CREATED:SYNONYM` `OBJECT:CREATED:TABLE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:VIEW`	Object:Created	`CREATE` `COMMIT` `CREATE` `CREATE` `ROLLBACK` `CREATE` `CREATE` `CREATE` `CREATE` `CREATE` `CREATE`	Any from List 1
`OBJECT:DELETED` `OBJECT:DELETED:COMMIT` `OBJECT:DELETED:INDEX` `OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:ROLLBACK` `OBJECT:DELETED:SYNONYM` `OBJECT:DELETED:TABLE` `OBJECT:DELETED:TRIGGER` `OBJECT:DELETED:TYPE` `OBJECT:DELETED:VIEW`	Object:Deleted	`DROP` `COMMIT` `DROP` `DROP` `ROLLBACK` `DROP` `DROP` `DROP` `DROP` `DROP`	Any from List 1

Peer Association Events

Peer association events track database link statements. These events do not have any event names; they only contain event attributes.

Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as granting a user access permission.

Table E-9 lists the Microsoft SQL Server role and privilege management events and the equivalent Oracle AVDF events.

Table E-9 SQL Server Role and Privilege Management Audit Events

Source Event	Event Description	command_class	target_type
`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:GRANT DATABASE ACCESS` `ADD DB USER:GRANTDBACCESS` `ADD DB USER:REVOKE DATABASE ACCESS` `ADD DB USER:REVOKEDBACCESS`	Audit Add DB User Event	`ALTER` `ALTER` `GRANT` `GRANT` `REVOKE` `REVOKE`	`DATABASE` `DATABASE` `ROLE` `ROLE` `ROLE` `ROLE`
`ADD LOGIN TO SERVER ROLE:ADD` `ADD LOGIN TO SERVER ROLE:DROP`	Audit Add Login to Server Role Event	`GRANT` `REVOKE`	`ROLE` `ROLE`
`ADD MEMBER TO DB ROLE:ADD` `ADD MEMBER TO DB ROLE:CHANGE GROUP` `ADD MEMBER TO DB ROLE:DROP`	Audit Add Member to DB Role Event	`GRANT` `ALTER` `REVOKE`	`ROLE` `ROLE` `ROLE`
`ADD ROLE:ADD` `ADD ROLE:DROP`	Audit Add Role Event	`CREATE` `DROP`	`ROLE` `ROLE`
`APP ROLE CHANGE PASSWORD`	Audit App Role Change Password Event	`ALTER`	Any from List 1
`DATABASE OBJECT GDR:DENY` `DATABASE OBJECT GDR:GRANT` `DATABASE OBJECT GDR:REVOKE`	Audit Database Object GDR Event	`ALTER` `ALTER` `ALTER`	Any from List 1
`DATABASE PRINCIPAL MANAGEMENT:ALTER: ROLE` `DATABASE PRINCIPAL MANAGEMENT:CREATE: ROLE` `DATABASE PRINCIPAL MANAGEMENT:DROP: ROLE`	Audit Database Principal Management Event	`ALTER` `CREATE` `DROP`	Any from List 1
`LOGIN GDR:DENY` `LOGIN GDR:GRANT` `LOGIN GDR:REVOKE`	Audit Login GDR Event	`DENY` `GRANT` `REVOKE`	Any from List 1
`OBJECT DERIVED PERMISSION:CREATE` `OBJECT DERIVED PERMISSION:ALTER` `OBJECT DERIVED PERMISSION:DROP` `OBJECT DERIVED PERMISSION:DUMP` `OBJECT DERIVED PERMISSION:LOAD`	Audit Object Derived Permission Event	`CREATE` `ALTER` `DROP` `BACKUP` `RESTORE`	Any from List 1
`SCHEMA OBJECT GDR:GRANT` `SCHEMA OBJECT GDR:REVOKE` `SCHEMA OBJECT GDR:DENY`	Audit Schema Object GDR Event	`GRANT` `REVOKE` `DENY`	`OBJECT` `OBJECT` `OBJECT`
`OBJECT PERMISSION`	Audit Object Derived Permission Event	`CHECK`	Any from List 1
`SERVER OBJECT GDR:GRANT` `SERVER OBJECT GDR:REVOKE` `SERVER OBJECT GDR:DENY`	Audit Server Object GDR Event	`ALTER` `ALTER` `ALTER`	Any from List 1
`SERVER SCOPE GDR:DENY` `SERVER SCOPE GDR:GRANT` `SERVER SCOPE GDR:REVOKE`	Audit Server Scope GDR Event	`DENY` `GRANT` `REVOKE`	Any from List 1
`DATABASE SCOPE GDR:GRANT` `STATEMENT GDR:REVOKE` `STATEMENT GDR:DENY`	Audit Database Scope GDR Event	`GRANT` `REVOKE` `DENY`	Any from List 1
`STATEMENT PERMISSION`	Audit Statement Permission Event	`VALIDATE`	Any from List 1

Service and Application Utilization Events

Service and application utilization events track audited application access activity.

Table E-10 lists the Microsoft SQL Server service and application utilization events and the equivalent Oracle AVDF events.

Table E-10 SQL Server Service and Application Utilization Audit Events

Source Event	Event Description	command_class	target_type
`BROKER CONVERSATION:INVALID SIGNATURE` `BROKER CONVERSATION:NO CERTIFICATE` `BROKER CONVERSATION:NO SECURITY HEADER` `BROKER CONVERSATION:RUN AS TARGET FAILURE`	Audit Broker Conversation	`EXECUTE`	Any from List 1
`BROKER:MESSAGE UNDELIVERABLE:SEQUENCED` `BROKER:MESSAGE UNDELIVERABLE:UNSEQUENCED` `BROKER:MESSAGE UNDELIVERABLE:CORRUPTED MESSAGE`	Broker:Message Undeliverable Broker:Message Undeliverable Broker:Corrupted Message	`TRANSACTION MANAGEMENT` `TRANSACTION MANAGEMENT` `RECEIVE`	`MESSAGE` `MESSAGE` Any from List 1
`BROKER:ACTIVATION:ABORTED`	Broker:Activation - The activation stored procedure exited with an error.	`ABORT`	Any from List 1
`BROKER:QUEUE DISABLED`	Broker:Queue Disabled	`DISABLE`	Any from List 1

System Management Events

System management events track audited system management activity, such as backup and restore operations. Table E-11 lists the Microsoft SQL Server system management events and the equivalent Oracle AVDF events.

Table E-11 SQL Server System Management Audit Events

Source Event	Event Description	command_class	target_type
`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:SP_ADDUSER` `ADD DB USER:SP_DROPUSER`	Audit Add DB User Event	`ALTER` `ALTER` `ALTER` `ALTER`	`DATABASE` `DATABASE` `DATABASE` `DATABASE`
`BACKUP/RESTORE:BACKUP` `BACKUP/RESTORE:BACKUPLOG` `BACKUP/RESTORE:RESTORE`	Audit Backup/Restore Event	`BACKUP` `BACKUP` `RESTORE`	Any from List 1
`CHANGE DATABASE OWNER`	Audit Change Database Owner	`ALTER`	Any from List 1
`DATABASE MANAGEMENT:ALTER` `DATABASE MANAGEMENT:CREATE` `DATABASE MANAGEMENT:DROP` `DATABASE MANAGEMENT:DUMP` `DATABASE MANAGEMENT:LOAD`	Audit Database Management Event	`ALTER` `CREATE` `DROP` `BACKUP` `RESTORE`	Any from List 1
`DATABASE OBJECT MANAGEMENT:ALTER` `DATABASE OBJECT MANAGEMENT:CREATE` `DATABASE OBJECT MANAGEMENT:DROP` `DATABASE OBJECT MANAGEMENT:DUMP` `DATABASE OBJECT MANAGEMENT:LOAD` `DATABASE OBJECT MANAGEMENT:OPEN`	Audit Database Object Management Event	`ALTER` `ALTER` `ALTER` `BACKUP` `RESTORE` `ALTER`	Any from List 1
`DATABASE OPERATION:SUBSCRIBE TO QUERY NOTIFICATION`	Audit Database Operation Event	`SUBSCRIBE`	Any from List 1
`DATABASE PRINCIPAL MANAGEMENT:DUMP` `DATABASE PRINCIPAL MANAGEMENT:LOAD`	Audit Database Principal Management Event	`BACKUP` `RESTORE`	Any from List 1
`DB CONSISTENCY CHECK`	Audit DBCC Event	`VERIFY`	Any from List 1
`SCHEMA OBJECT MANAGEMENT:DUMP` `SCHEMA OBJECT MANAGEMENT:LOAD`	Audit Schema Object Management Event	`BACKUP` `RESTORE`	Any from List 1
`SERVER OBJECT MANAGEMENT:CREATE` `SERVER OBJECT MANAGEMENT:ALTER` `SERVER OBJECT MANAGEMENT:DROP` `SERVER OBJECT MANAGEMENT:DUMP` `SERVER OBJECT MANAGEMENT:LOAD`	Audit Server Object Management Event	`ALTER` `ALTER` `ALTER` `BACKUP` `RESTORE`	`SYSTEM` `SYSTEM` `SYSTEM` Any from List 1 Any from List 1
`SERVER OPERATION:ADMINISTER BULK OPERATIONS` `SERVER OPERATION:ALTER RESOURCES` `SERVER OPERATION:ALTER SERVER STATE` `SERVER OPERATION:ALTER SETTINGS` `SERVER OPERATION:AUTHENTICATE` `SERVER OPERATION:EXTERNAL ACCESS`	Audit Server Operation Event	`UPDATE` UPDATE UPDATE `UPDATE` UPDATE UPDATE	Any from List 1
`SERVER PRINCIPAL MANAGEMENT:DUMP: USER` `SERVER PRINCIPAL MANAGEMENT:LOAD: USER`	Audit Server Principal Management Event	`BACKUP` `RESTORE`	Any from List 1
`SERVER STARTS AND STOPS:SHUTDOWN` `SERVER STARTS AND STOPS:STARTED` `SERVER STARTS AND STOPS:PAUSED` `SERVER STARTS AND STOPS:CONTINUE`	Audit Server Starts and Stops	`STOP` `START` `SUSPEND` `RESUME`	Any from List 1
`SERVER STARTS AND STOPS:INSTANCE CONTINUED` `SERVER STARTS AND STOPS:INSTANCE PAUSE` `SERVER STARTS AND STOPS:INSTANCE SHUTDOWN` `SERVER STARTS AND STOPS:INSTANCE STARTED`	Audit Server Starts and Stops Event	`RESUME` `SUSPEND` `SHUTDOWN` `STARTUP`	Any from List 1
`DATABASE MIRRORING STATE CHANGE`	Database Mirroring State Change	UPDATE	Any from List 1
`DATABASE MIRRORING CONNECTION:CONNECTING` `DATABASE MIRRORING CONNECTION:CONNECTED` `DATABASE MIRRORING CONNECTION:CONNECT FAILED` `DATABASE MIRRORING CONNECTION:CLOSING` `DATABASE MIRRORING CONNECTION:CLOSED` `DATABASE MIRRORING CONNECTION:ACCEPT` `DATABASE MIRRORING CONNECTION:SEND IO ERROR` `DATABASE MIRRORING CONNECTION:RECEIVE IO ERROR`	Database Mirroring Connection	`CONNECT` `CONNECT` `INVALID` `CLOSE` `CLOSE` `ACCEPT` `RAISE` `RECEIVE`	`DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE`
`MOUNT TAPE:TAPE MOUNT CANCELLED` `MOUNT TAPE:TAPE MOUNT COMPLETE` `MOUNT TAPE:TAPE MOUNT REQUEST`	Mount Tape	`MOUNT` `MOUNT` `MOUNT`	Any from List 1

Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations.

Table E-12 Uncategorised Events

Source Event	Event Description	command_class	target_type
`ATTENTION`	Attention	`RAISE`	Any from List 1
`ERROR LOG`	ErrorLog	`WRITE`	Any from List 1
`EXCEPTION`	Exception	`RAISE`	Any from List 1
`OLEDB ERRORS`	OLEDB Errors	`RAISE`	Any from List 1
`EXECUTION WARNINGS:QUERY WAIT`	Execution warnings	`WAIT`	`QUERY`
`EXECUTION WARNINGS:QUERY TIMEOUT`	Execution warnings	`DML`	`QUERY`
`SORT WARNINGS:SINGLE PASS`	Sort Warnings	`ACCESS`	`QUERY`
`SORT WARNINGS:MULTIPLE PASS`	Sort Warnings	`ACCESS`	`QUERY`
`MISSING COLUMN STATISTICS`	Missing Column Statistics	`ACCESS`	Any from List 1
`MISSING JOIN PREDICATE`	Missing Join Predicate	`ACCESS`	Any from List 1
`SERVER MEMORY CHANGE:INCREASE`	Server Memory Change	`UPDATE`	`MEMORY`
`SERVER MEMORY CHANGE:DECREASE`	Server Memory Change	`UPDATE`	`MEMORY`
`USER ERROR MESSAGE`	User Error Message	`RAISE`	Any from List 1
`BITMAP WARNING:DISABLED`	Bitmap Warning	`RAISE`	`WARNING`
`TRACE START`	Trace Start	`START`	Any from List 1
`TRACE STOP`	Trace Stop	`STOP`	Any from List 1
`SQL:STMTCOMPLETED`	SQL:Stmt Completed Event	`EXECUTE`	Any from List 1
`DBCC`	Audit DBCC Event	`EXECUTE`	Any from List 1
`SERVER OPERATION:ALTER SERVER STATE`	Audit Server Operation Event	`UPDATE`	Any from List 1
`LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`	Lock:Deadlock Chain	`DEADLOCK`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:82)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:83)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:84)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:85)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:86)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:87)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:88)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:89)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:90)	`CONFIGURE`	Any from List 1
`USER CONFIGURABLE`	User Configurable (Event ID:91)	`CONFIGURE`	Any from List 1
NOTIFICATION SERVICE	Notification Service	RAISE	`DATABASE`
`PASSWORD POLICY`	Password Policy	UPDATE	`POLICY`

User Session Events

User session events track audited authentication events for users who log in to the database.

Table E-13 lists the Microsoft SQL Server user session events and the equivalent Oracle AVDF events.

Table E-13 SQL Server User Session Audit Events

Source Event	Event Description	command_class	target_type
`BROKER LOGIN:AUTHENTICATION FAILURE` `BROKER LOGIN:LOGIN SUCCESS` `BROKER LOGIN:LOGIN PROTOCOL ERROR` `BROKER LOGIN:MESSAGE FORMAT ERROR` `BROKER LOGIN:NEGOTIATE FAILURE`	Audit Broker Login	`LOGIN` `LOGIN` `LOGIN` `LOGIN` `LOGIN`	Any from List 1
`DATABASE MIRRORING LOGIN:LOGIN SUCCESS` `DATABASE MIRRORING LOGIN:LOGIN PROTOCOL ERROR` `DATABASE MIRRORING LOGIN:MESSAGE FORMAT ERROR` `DATABASE MIRRORING LOGIN:NEGOTIATE FAILURE` `DATABASE MIRRORING LOGIN:AUTHENTICATION FAILURE` `DATABASE MIRRORING LOGIN:AUTHORIZATION FAILURE`	Audit Database Mirroring Login Event	`LOGIN`	Any from List 1
`DATABASE OPERATION:CHECKPOINT`	Audit Database Operation Event	`SAVEPOINT`	Any from List 1
`DATABASE PRINCIPAL IMPERSONATION`	Audit Database Principal Impersonation Event	`IMPERSONATION`	Any from List 1
`LOGIN:NONPOOLED` `LOGIN:POOLED` `LOGIN:FAILED` `LOGOUT:NONPOOLED` `LOGOUT:POOLED` `LOGIN FAILED:NONPOOLED` `LOGIN FAILED:POOLED`	Audit Login Audit Login Audit Login Failed Audit Logout Audit Logout Login Failed Event Login Failed Event	`LOGIN` `LOGIN` `LOGIN` `LOGOUT` `LOGOUT` `LOGIN` `LOGIN`	`USER` `USER` Any from List 1 `USER` `USER` `USER` `USER`
`SERVER PRINCIPAL IMPERSONATION`	Audit Server Principal Impersonation Event	`IMPERSONATION`	Any from List 1
`SQL TRANSACTION:COMMIT` `SQL TRANSACTION:ROLLBACK` `SQL TRANSACTION:SAVEPOINT`	SQL Transaction	`COMMIT` `ROLLBACK` `SAVEPOINT`	Any from List 1

Target Type Values

Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.

List 1

Possible Target Types
`INDEX`
`PROCEDURE`
`TRIGGER`
`TABLE`
`VIEW`
`CONSTRAINT`
`DEFAULT`
`RULE`
`DATABASE`
`OBJECT`
`CATALOG`
`SCHEMA`
`CREDENTIAL`
`EVENT`
`FUNCTION`
`ROLE`
`GROUP`
`KEY`
`LOGIN`
`REMOTE SERVICE BINDING`
`NOTIFICATION`
`SYNONYM`
`SEQUENCE`
`END POINT`
`QUEUE`
`CERTIFICATE`
`SERVER`
`ASSEMBLY`
`PARTITION SCHEME`
`USER`
`SERVICE BROKER SERVICE CONTRACT`
`TYPE`
`SERVICE BROKER ROUTE`
`STATISTICS`
`SERVICE BROKER SERVICE`
`CERTIFICATE LOGIN`
`QUERY`

E Microsoft SQL Server SQL Trace Audit Events

About the Microsoft SQL Server Audit Events

Account Management Events

Application Management Events

Audit Command Events

Data Access Events

Exception Events

Invalid Record Events

Object Management Events

Peer Association Events

Role and Privilege Management Events

Service and Application Utilization Events

System Management Events

Unknown or Uncategorized Events

User Session Events

Target Type Values

List 1

About the Mic rosoft SQL Server Audit Events