Topics
This appendix maps audit event names used in the SQL Server database to their equivalent values in the command_class and target_type fields in the Oracle Audit Vault and Database Firewall audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools.
See Also:
Oracle Audit Vault and Database Firewall Database Schemas for Oracle Audit Vault and Database Firewall data warehouse details that may be useful in designing your own reports.
Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords.
Table G-1 lists the Microsoft SQL Server account management events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-1 Microsoft SQL Server Account Management Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit AddLogin Event |
|
|
|
Audit Database Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Login Change Password Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Login Change Property Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Object Management Event |
|
|
|
Audit Server Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Application management events track actions that were performed on the underlying SQL statements, such as creating objects.
Table G-2 lists the Microsoft SQL Server application management events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-2 SQL Server Application Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Database Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Object:Created Object:Deleted |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Object:Deleted |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Audit command events track the use of audit events, such as altering trace events. Table G-3 lists the Microsoft SQL Server audit command events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-3 SQL Server Audit Command Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Change Audit Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Alter Trace Event |
|
|
|
ExistingConnection |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Table G-4 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.
Table G-4 SQL Server Audit Command Events Logged in Windows Event Viewer
Source Event | Severity |
---|---|
|
|
|
|
The data access event tracks SQL transactions. The Data Access Report uses these events.
Table G-5 shows the Microsoft SQL Server data access source event and the equivalent Oracle Audit Vault and Database Firewall event.
Table G-5 SQL Server Data Access Audit Event
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
SQL Transaction |
|
|
|
SQL transaction batch completed |
|
DATABASE |
|
SQL transaction batch completed |
|
DATABASE |
See Also:
Exception events track audited error and exception activity, such as background job errors. Table G-6 lists the Microsoft SQL Server exception events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-6 SQL Server Exception Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Background Job Error |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Blocked Process Report |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Table G-7 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.
Table G-7 SQL Server Exception Events Logged in the Windows Event Viewer
Source Event | Severity | command_class | target_type |
---|---|---|---|
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
|
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record. These events do not have any event names; they only contain event attributes.
Object management events track audited actions performed on database objects, such as altering an object. Table G-8 lists the Microsoft SQL Server object management events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-8 SQL Server Object Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Database Object Access Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Object Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object Access Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object Management Event |
DROP
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Object Take Ownership Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Lock:Deadlock |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Lock:Deadlock Chain |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Object:Altered |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Object:Created |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Object:Deleted |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Peer association events track database link statements. These events do not have any event names; they only contain event attributes.
Role and privilege management events track audited role and privilege management activity, such as granting a user access permission.
Table G-9 lists the Microsoft SQL Server role and privilege management events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-9 SQL Server Role and Privilege Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Add DB User Event |
|
|
|
Audit Add Login to Server Role Event |
|
|
|
Audit Add Member to DB Role Event |
|
|
|
Audit Add Role Event |
|
|
|
Audit App Role Change Password Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Object GDR Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Login GDR Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Object Derived Permission Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object GDR Event |
|
|
|
Audit Object Derived Permission Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Object GDR Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Scope GDR Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Scope GDR Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Statement Permission Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
Service and application utilization events track audited application access activity.
Table G-10 lists the Microsoft SQL Server service and application utilization events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-10 SQL Server Service and Application Utilization Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Broker Conversation |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Broker:Message Undeliverable Broker:Message Undeliverable Broker:Corrupted Message |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Broker:Activation - The activation stored procedure exited with an error. |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Broker:Queue Disabled |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Remote procedure call |
|
DATABASE |
|
Remote procedure call |
|
DATABASE |
System management events track audited system management activity, such as backup and restore operations. Table G-11 lists the Microsoft SQL Server system management events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-11 SQL Server System Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Add DB User Event |
|
|
|
Audit Backup/Restore Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Change Database Owner |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Object Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Operation Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit DBCC Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Schema Object Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Object Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Operation Event |
UPDATE UPDATE
UPDATE UPDATE |
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Principal Management Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Starts and Stops |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Starts and Stops Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Database Mirroring State Change |
UPDATE |
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Database Mirroring Connection |
|
|
|
Mount Tape |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
DB Bulk administration |
|
|
Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations.
Table G-12 Uncategorised Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Attention |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
ErrorLog |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Exception |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
OLEDB Errors |
|
Any from Possible Target Types Values Associated With Certain SQL Trace Audit Events |
|
Execution warnings |
|
|
|
Execution warnings |
|
|
|
Sort Warnings |
|
|
|
Sort Warnings |
|
|
|
Missing Column Statistics |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Missing Join Predicate |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Server Memory Change |
|
|
|
Server Memory Change |
|
|
|
User Error Message |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Bitmap Warning |
|
|
|
Trace Start |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Trace Stop |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
SQL:Stmt Completed Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit DBCC Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Server Operation Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Lock:Deadlock Chain |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:82) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:83) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:84) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:85) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:86) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:87) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:88) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:89) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:90) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
User Configurable (Event ID:91) |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
NOTIFICATION SERVICE |
Notification Service |
RAISE |
|
|
Password Policy |
UPDATE |
|
User session events track audited authentication events for users who log in to the database.
Table G-13 lists the Microsoft SQL Server user session events and the equivalent Oracle Audit Vault and Database Firewall events.
Table G-13 SQL Server User Session Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Broker Login |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Mirroring Login Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Operation Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Database Principal Impersonation Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
Audit Login Audit Login Audit Login Failed Audit Logout Audit Logout Login Failed Event Login Failed Event |
|
Any possible target type values associated with certain SQL Trace Audit Events.
|
|
Audit Server Principal Impersonation Event |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
SQL Transaction |
|
Any possible target type values associated with certain SQL Trace Audit Events. |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
SQL Transaction |
|
DATABASE |
|
Storage login |
|
SERVER |
|
Storage login |
|
SERVER |
Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.
Possible Target Type values associated with certain audit events
INDEX PROCEDURE TRIGGER TABLE VIEW CONSTRAINT DEFAULT RULE DATABASE OBJECT CATALOG SCHEMA CREDENTIAL EVENT FUNCTION ROLE GROUP KEY LOGIN REMOTE SERVICE BINDING NOTIFICATION SYNONYM SEQUENCE END POINT QUEUE CERTIFICATE SERVER ASSEMBLY PARTITION SCHEME USER SERVICE BROKER SERVICE CONTRACT TYPE SERVICE BROKER ROUTE STATISTICS SERVICE BROKER SERVICE CERTIFICATE LOGIN QUERY RESOURCE GOVERNOR DATABASE CONFIGURATION EXTERNAL LIBRARY EXTERNAL RESOURCE POOL EXTERNAL SCRIPT QUERY