Topics
SQL Audit Events map server-level, database-level groups of events and individual events. The Audit action items can be individual actions such as SELECT
operations on a Table, or a group of actions such as SERVER_PERMISSION_CHANGE_GROUP
.
SQL Audit Events track the following three categories of Events:
Server Level: These actions include server operations, such as management changes, and logon and logoff operations.
Database Level: These actions include data manipulation languages (DML) and Data Definition Language (DDL).
Audit Level: These actions include actions in the auditing process.
Note:
In the table below the Target Type can be anything from Possible Target Types Values Associated With SQL Audit and Event Log Events.
Table H-1 SQL Audit Events
Source Event | Event Description | Command Class |
---|---|---|
|
Database Role Member Change Group |
|
|
Backup Log |
|
|
Alter Resources |
|
|
Delete |
|
|
Broker Login |
|
|
Logout Group |
|
|
Must Change Password |
|
|
Drop Member |
|
|
Deny |
|
|
Send |
|
|
Select |
|
|
Server Continue |
|
|
Server Operation Group |
|
|
Insert |
|
|
Execute |
|
|
Show Plan |
|
|
Successful Login Group |
|
|
Server Role Member Change Group |
|
|
Alter Trace |
|
|
Credential Map to Login |
|
|
Full Text |
|
|
Trace Audit C2On |
|
|
Bulk Admin |
|
|
Trace Audit C2Off |
|
|
View Server State |
|
|
Schema Object Access Group |
|
|
Alter Connection |
|
|
Alter Settings |
|
|
Alter Server State |
|
|
External Access Assembly |
|
|
Open |
|
|
Audit Shutdown On Failure |
|
|
Audit Session Changed |
|
|
Backup Restore Group |
|
|
Server Object Ownership Change Group |
|
|
Authenticate |
|
|
Database Ownership Change Group |
|
|
References |
|
|
Server Started |
|
|
Database Object Ownership Change Group |
|
|
Schema Object Permission Change Group |
|
|
Impersonate |
|
|
Create |
|
|
Server State Change Group |
|
|
Take Ownership |
|
|
Transfer |
|
|
Change Users Login Auto |
|
|
Add Member |
|
|
View ChangeTracking |
|
|
Login Failed |
|
|
Database Principal Change Group |
|
|
Database Object Change Group |
|
|
Database Mirroring Login Group |
|
|
Alter |
|
|
Password Expiration |
|
|
Update |
|
|
Name Change |
|
|
Logout |
|
|
Login Succeeded |
|
|
Database Change Group |
|
|
Login Change Password Group |
|
|
Reset Own Password |
|
|
Change Users Login |
|
|
Trace Change Group |
|
|
Failed Login Group |
|
|
Trace Audit Stop |
|
|
Revoke |
|
|
Change Own Password |
|
|
Change Login Credential |
|
|
Receive |
|
|
Audit Change Group |
|
|
Change Default Language |
|
|
Change Password |
|
|
Restore |
|
|
Database Mirroring Login |
|
|
Revoke with Cascade |
|
|
Drop |
|
|
Server Object Change Group |
|
|
View Database State |
|
|
Server Principal Change Group |
|
|
Unlock Account |
|
|
Fulltext Group |
|
|
Enable |
|
|
Password Policy |
|
|
Revoke With Grant |
|
|
Database Principal Impersonation Group |
|
|
Reset Password |
|
|
Subscribe Query Notification |
|
|
Server Principal Impersonation Group |
|
|
Application Role Change Password Group |
|
|
Trace Audit Start |
|
|
Database Object Permission Change Group |
|
|
Server Paused |
|
|
Database Operation Group |
|
|
Access |
|
|
Database Permission Change Group |
|
|
Unsafe Assembly |
|
|
Deny with Cascade |
|
|
DBCC Group |
|
|
Broker Login Group |
|
|
Checkpoint |
|
|
Server Shutdown |
|
|
No Credential Map to Login |
|
|
Schema Object Change Group |
|
|
Connect |
|
|
Grant with Grant |
|
|
Change Default Database |
|
|
Disable |
|
|
Schema Object Ownership Change Group |
|
|
Grant |
|
|
Server Permission Change Group |
|
|
Server Object Permission Change Group |
|
|
Database Object Access Group |
|
|
DBCC |
|
|
Backup |
|
|
|
|
|
|
|
|
|
|
See Also:
Possible Target Types Values Associated With SQL Audit and Event Log Events for the Target Type.
Event Log Events help you audit server-level, database-level and individual events. These events consist of zero or more audit action items which can be either a group of actions (DATABASE_MIRRORING_LOGIN_GROUP
) or individual actions (SELECT
or REVOKE
).
The Event Log Events track the following three categories of events.
Server Level: These actions include server operations such as management changes, and logon and logoff operations.
Database Level: These actions include data manipulation (DML) languages and Data Definition Language (DDL).
Audit Level: These actions include actions in the auditing process.
Table H-2 Event Log Events
Source Events | Event Description | Command Class | Target Type |
---|---|---|---|
|
OP Alter Trace: Stop |
|
|
|
OP Alter Trace: Start (Event ID: 19033) |
|
|
|
OP Alter Trace: Start (Event ID: 19034) |
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18450) |
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18451) |
|
|
|
Login Failed: Untrusted Domain |
|
|
|
Login Succeeded: Trusted |
|
|
|
Login Succeeded: Non-Trusted |
|
|
|
Login Succeeded |
|
|
|
Login Failed |
|
|
|
Login Failed: Illegal User Name |
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
Login Failed: Workstation Licensing Limit |
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
Login Failed: Server in Single User Mode |
|
|
|
Login Failed: Account Disabled |
|
|
|
Login Failed: Account Locked |
|
|
|
Login Failed: Password Expired |
|
|
|
Login Failed: Password Must Be Changed |
|
|
|
OP Error: Server Shut Down |
|
|
|
OP Error: Mirroring Error |
|
|
|
OP Error: Stack Over Flow |
|
|
|
OP Error: Commit |
|
|
|
OP Error: Rollback |
|
|
|
OP Error: DB Offline |
|
|
|
OP Error: Process Violation |
|
|
|
OP Error: Restore Failed |
|
|
|
OP Error: Recover |
|
|
|
OP Error: .NET Fatal Error |
|
|
|
OP Error: .NET User Code |
|
|
|
Notification Service |
|
|
|
Password Policy Update Successful |
|
|
|
OP Modify: Start |
|
|
|
OP Modify: Stop |
|
|
Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.
Possible Target Types | Class_Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AL |
|
|
Undocumented |
AP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|