G Microsoft SQL Server SQL Trace Audit Events

Topics

G.1 About the Microsoft SQL Server Audit Events

This appendix maps audit event names used in the SQL Server database to their equivalent values in the command_class and target_type fields in the Oracle Audit Vault and Database Firewall audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools.

See Also:

Oracle Audit Vault and Database Firewall Database Schemas for Oracle Audit Vault and Database Firewall data warehouse details that may be useful in designing your own reports.

G.2 Account Management Events

Account management events track SQL statements that affect user accounts, such as adding logins or changing login passwords.

Table G-1 lists the Microsoft SQL Server account management events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-1 Microsoft SQL Server Account Management Events

Source Event Event Description Command Class Target Type

Source Event	Event Description	Command Class	Target Type
`ADDLOGIN:ADD` `ADDLOGIN:DROP`	Audit AddLogin Event	`CREATE` `DROP`	`USER` `USER`
`DATABASE PRINCIPAL MANAGEMENT:ALTER: USER` `DATABASE PRINCIPAL MANAGEMENT:CREATE: USER` `DATABASE PRINCIPAL MANAGEMENT:DROP: USER`	Audit Database Principal Management Event	`ALTER` `CREATE` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOGIN CHANGE PASSWORD:PASSWORD CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE` `LOGIN CHANGE PASSWORD:PASSWORD RESET` `LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED` `LOGIN CHANGE PASSWORD:PASSWORD SELF RESET` `LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED`	Audit Login Change Password Event	`ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE` `LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE` `LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED` `LOGIN CHANGE PROPERTY:EXPIRATION CHANGED` `LOGIN CHANGE PROPERTY:NAME CHANGED` `LOGIN CHANGE PROPERTY:POLICY CHANGED`	Audit Login Change Property Event	`ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED` `SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN`	Audit Server Object Management Event	`ALTER` `ALTER`	`USER` `USER`
`SERVER PRINCIPAL MANAGEMENT:CREATE` `SERVER PRINCIPAL MANAGEMENT:ALTER` `SERVER PRINCIPAL MANAGEMENT:DROP` `SERVER PRINCIPAL MANAGEMENT:DISABLE` `SERVER PRINCIPAL MANAGEMENT:ENABLE`	Audit Server Principal Management Event	`ALTER` `CREATE` `DISABLE` `DROP` `ENABLE`	`USER` `USER` Any possible target type values associated with certain SQL Trace Audit Events.

ADDLOGIN:ADD

ADDLOGIN:DROP

Audit AddLogin Event

CREATE

DROP

USER

DATABASE PRINCIPAL MANAGEMENT:ALTER: USER

DATABASE PRINCIPAL MANAGEMENT:CREATE: USER

DATABASE PRINCIPAL MANAGEMENT:DROP: USER

Audit Database Principal Management Event

ALTER

CREATE

DROP

Any possible target type values associated with certain SQL Trace Audit Events.

LOGIN CHANGE PASSWORD:PASSWORD CHANGED

LOGIN CHANGE PASSWORD:PASSWORD MUST CHANGE

LOGIN CHANGE PASSWORD:PASSWORD RESET

LOGIN CHANGE PASSWORD:PASSWORD SELF CHANGED

LOGIN CHANGE PASSWORD:PASSWORD SELF RESET

LOGIN CHANGE PASSWORD:PASSWORD UNLOCKED

Audit Login Change Password Event

ALTER

Any possible target type values associated with certain SQL Trace Audit Events.

LOGIN CHANGE PROPERTY:CREDENTIAL CHANGED

LOGIN CHANGE PROPERTY:DEFAULT DATABASE

LOGIN CHANGE PROPERTY:DEFAULT DATABASE CHANGED

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE

LOGIN CHANGE PROPERTY:DEFAULT LANGUAGE CHANGED

LOGIN CHANGE PROPERTY:EXPIRATION CHANGED

LOGIN CHANGE PROPERTY:NAME CHANGED

LOGIN CHANGE PROPERTY:POLICY CHANGED

Audit Login Change Property Event

ALTER

Any possible target type values associated with certain SQL Trace Audit Events.

SERVER OBJECT MANAGEMENT:CREDENTIAL MAP DROPPED

SERVER OBJECT MANAGEMENT:CREDENTIAL MAPPED TO LOGIN

Audit Server Object Management Event

ALTER

USER

SERVER PRINCIPAL MANAGEMENT:CREATE

SERVER PRINCIPAL MANAGEMENT:ALTER

SERVER PRINCIPAL MANAGEMENT:DROP

SERVER PRINCIPAL MANAGEMENT:DISABLE

SERVER PRINCIPAL MANAGEMENT:ENABLE

Audit Server Principal Management Event

ALTER

CREATE

DISABLE

DROP

ENABLE

USER

Any possible target type values associated with certain SQL Trace Audit Events.

G.3 Application Management Events

Application management events track actions that were performed on the underlying SQL statements, such as creating objects.

Table G-2 lists the Microsoft SQL Server application management events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-2 SQL Server Application Management Audit Events

Source Event	Event Description	Command Class	Target Type
`DATABASE OBJECT TAKE OWNERSHIP`	Audit Database Object Take Ownership Event	`ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: PROCEDURE` `SCHEMA OBJECT TAKE OWNERSHIP: TYPE` `SCHEMA OBJECT TAKE OWNERSHIP: TRIGGER`	Audit Schema Object Take Ownership Event	`ALTER` `ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	Audit Server Object Take Ownership Event	`ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:BEGIN` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:ROLLBACK` `OBJECT:DELETED:BEGIN`	Object:Created Object:Deleted	`CREATE` `CREATE` `CREATE` `COMMIT` `ROLLBACK` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:TRIGGER`	Object:Deleted	`DROP` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.

G.4 Audit Command Events

Audit command events track the use of audit events, such as altering trace events. Table G-3 lists the Microsoft SQL Server audit command events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-3 SQL Server Audit Command Audit Events

Source Event Event Description Command Class Target Type

Source Event	Event Description	Command Class	Target Type
`CHANGE:AUDIT STARTED` `CHANGE:AUDIT STOPPED` `CHANGE:C2 MODE ON` `CHANGE:C2 MODE OFF` `CHANGE:AUDIT STOPPED` `CHANGE:NEW AUDIT STARTED`	Audit Change Audit Event	`AUDIT` `NOAUDIT` `AUDIT` `NOAUDIT` `SYSTEM` `SYSTEM`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER ALTER TRACE`	Audit Server Alter Trace Event	`ALTER`	`TRACE`
`EXISTINGCONNECTION`	ExistingConnection	`EXISTING`	Any possible target type values associated with certain SQL Trace Audit Events.

CHANGE:AUDIT STARTED

CHANGE:AUDIT STOPPED

CHANGE:C2 MODE ON

CHANGE:C2 MODE OFF

CHANGE:AUDIT STOPPED

CHANGE:NEW AUDIT STARTED

Audit Change Audit Event

AUDIT

NOAUDIT

AUDIT

NOAUDIT

SYSTEM

Any possible target type values associated with certain SQL Trace Audit Events.

SERVER ALTER TRACE

Audit Server Alter Trace Event

ALTER

TRACE

EXISTINGCONNECTION

ExistingConnection

EXISTING

Any possible target type values associated with certain SQL Trace Audit Events.

Table G-4 lists the Microsoft SQL Server audit command events that are logged in the Windows Event Viewer.

Table G-4 SQL Server Audit Command Events Logged in Windows Event Viewer

Source Event	Severity
`OP ALTER TRACE: START`	`10`
`OP ALTER TRACE: STOP`	`10`

Note:

Possible Target Types Values Associated With Certain SQL Trace Audit Events

G.5 Data Access Events

The data access event tracks SQL transactions. The Data Access Report uses these events.

Table G-5 shows the Microsoft SQL Server data access source event and the equivalent Oracle Audit Vault and Database Firewall event.

Table G-5 SQL Server Data Access Audit Event

Source Event	Event Description	Command Class	Target Type
`SQL TRANSACTION:BEGIN`	SQL Transaction	`TRANSACTION MANAGEMENT`	`TRANSACTION`
`BATCH COMPLETED`	SQL transaction batch completed	`EXECUTE`	DATABASE
`BATCH_COMPLETED_GROUP`	SQL transaction batch completed	`EXECUTE`	DATABASE

See Also:

Data Access Report

G.6 Exception Events

Exception events track audited error and exception activity, such as background job errors. Table G-6 lists the Microsoft SQL Server exception events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-6 SQL Server Exception Audit Events

Source Event Event Description Command Class Target Type

Source Event	Event Description	Command Class	Target Type
`BACKGROUND JOB ERROR:BACKGROUND JOB GIVING UP AFTER FAILURE` `BACKGROUND JOB ERROR:BACKGROUND JOB DROPPED - QUEUE IS FULL` `BACKGROUND JOB ERROR:BACKGROUND JOB RETURNED AN ERROR`	Background Job Error	`RAISE` `RAISE` `RAISE`	Any possible target type values associated with certain SQL Trace Audit Events.
`BLOCKED PROCESS REPORT`	Blocked Process Report	`RAISE`	Any possible target type values associated with certain SQL Trace Audit Events.

BACKGROUND JOB ERROR:BACKGROUND JOB GIVING UP AFTER FAILURE

BACKGROUND JOB ERROR:BACKGROUND JOB DROPPED - QUEUE IS FULL

BACKGROUND JOB ERROR:BACKGROUND JOB RETURNED AN ERROR

Background Job Error

RAISE

Any possible target type values associated with certain SQL Trace Audit Events.

BLOCKED PROCESS REPORT

Blocked Process Report

RAISE

Any possible target type values associated with certain SQL Trace Audit Events.

Table G-7 lists the Microsoft SQL Server exception events that are logged in the Windows Event Viewer.

Table G-7 SQL Server Exception Events Logged in the Windows Event Viewer

Source Event	Severity	command_class	target_type
`OP ERROR: COMMIT`	`10`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: DB OFFLINE`	`10`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: MIRRORING ERROR`	`16`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: .NET FATAL ERROR`	`16`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: .NET USER CODE`	`16`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: PROCESS VIOLATION`	`16`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: RECOVER`	`21`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: RESTORE FAILED`	`21`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: ROLLBACK`	`10`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: SERVER SHUT DOWN`	`21`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.
`OP ERROR: STACK OVER FLOW`	`16`	`ERROR`	Any possible target type values associated with certain SQL Trace Audit Events.

G.7 Invalid Record Events

Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record. These events do not have any event names; they only contain event attributes.

G.8 Object Management Events

Object management events track audited actions performed on database objects, such as altering an object. Table G-8 lists the Microsoft SQL Server object management events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-8 SQL Server Object Management Audit Events

Source Event	Event Description	Command Class	Target Type
`DATABASE OBJECT ACCESS`	Audit Database Object Access Event	`ACCESS`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OBJECT MANAGEMENT:ACCESS`	Audit Database Object Management Event	`ACCESS`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OBJECT TAKE OWNERSHIP: OBJECT` `DATABASE OBJECT TAKE OWNERSHIP: SCHEMA`	Audit Database Object Take Ownership Event	`ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE PRINCIPAL MANAGEMENT:CREATE` `DATABASE PRINCIPAL MANAGEMENT:ALTER` `DATABASE PRINCIPAL MANAGEMENT:DROP`	Audit Database Principal Management Event	`CREATE` `ALTER` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT ACCESS`	Audit Schema Object Access Event	`ACCESS`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT MANAGEMENT:CREATE` `SCHEMA OBJECT MANAGEMENT:ALTER` `SCHEMA OBJECT MANAGEMENT:DROP` `SCHEMA OBJECT MANAGEMENT:TRANSFER`	Audit Schema Object Management Event	`CREATE` `ALTER` DROP `TRANSFER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT TAKE OWNERSHIP: INDEX` `SCHEMA OBJECT TAKE OWNERSHIP: OBJECT` `SCHEMA OBJECT TAKE OWNERSHIP: TABLE`	Audit Schema Object Take Ownership Event	`ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OBJECT TAKE OWNERSHIP: OBJECT`	Audit Server Object Take Ownership Event	`ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOCK:DEADLOCK`	Lock:Deadlock	`DEADLOCK`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOCK:DEADLOCK CHAIN` `LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`	Lock:Deadlock Chain	`DEADLOCK` `DEADLOCK`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT:ALTERED` `OBJECT:ALTERED:COMMIT` `OBJECT:ALTERED:INDEX` `OBJECT:ALTERED:PROCEDURE` `OBJECT:ALTERED:ROLLBACK` `OBJECT:ALTERED:TABLE` `OBJECT:ALTERED:TRIGGER` `OBJECT:ALTERED:TYPE` `OBJECT:ALTERED:BEGIN`	Object:Altered	`ALTER` `COMMIT` `ALTER` `ALTER` `ROLLBACK` `ALTER` `ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT:CREATED` `OBJECT:CREATED:COMMIT` `OBJECT:CREATED:INDEX` `OBJECT:CREATED:PROCEDURE` `OBJECT:CREATED:ROLLBACK` `OBJECT:CREATED:SCHEMA` `OBJECT:CREATED:SYNONYM` `OBJECT:CREATED:TABLE` `OBJECT:CREATED:TRIGGER` `OBJECT:CREATED:TYPE` `OBJECT:CREATED:VIEW`	Object:Created	`CREATE` `COMMIT` `CREATE` `CREATE` `ROLLBACK` `CREATE` `CREATE` `CREATE` `CREATE` `CREATE` `CREATE`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT:DELETED` `OBJECT:DELETED:COMMIT` `OBJECT:DELETED:INDEX` `OBJECT:DELETED:PROCEDURE` `OBJECT:DELETED:ROLLBACK` `OBJECT:DELETED:SYNONYM` `OBJECT:DELETED:TABLE` `OBJECT:DELETED:TRIGGER` `OBJECT:DELETED:TYPE` `OBJECT:DELETED:VIEW`	Object:Deleted	`DROP` `COMMIT` `DROP` `DROP` `ROLLBACK` `DROP` `DROP` `DROP` `DROP` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.

G.9 Peer Association Events

Peer association events track database link statements. These events do not have any event names; they only contain event attributes.

G.10 Role and Privilege Management Events

Role and privilege management events track audited role and privilege management activity, such as granting a user access permission.

Table G-9 lists the Microsoft SQL Server role and privilege management events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-9 SQL Server Role and Privilege Management Audit Events

Source Event	Event Description	Command Class	Target Type
`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:GRANT DATABASE ACCESS` `ADD DB USER:GRANTDBACCESS` `ADD DB USER:REVOKE DATABASE ACCESS` `ADD DB USER:REVOKEDBACCESS`	Audit Add DB User Event	`ALTER` `ALTER` `GRANT` `GRANT` `REVOKE` `REVOKE`	`DATABASE` `DATABASE` `ROLE` `ROLE` `ROLE` `ROLE`
`ADD LOGIN TO SERVER ROLE:ADD` `ADD LOGIN TO SERVER ROLE:DROP`	Audit Add Login to Server Role Event	`GRANT` `REVOKE`	`ROLE` `ROLE`
`ADD MEMBER TO DB ROLE:ADD` `ADD MEMBER TO DB ROLE:CHANGE GROUP` `ADD MEMBER TO DB ROLE:DROP`	Audit Add Member to DB Role Event	`GRANT` `ALTER` `REVOKE`	`ROLE` `ROLE` `ROLE`
`ADD ROLE:ADD` `ADD ROLE:DROP`	Audit Add Role Event	`CREATE` `DROP`	`ROLE` `ROLE`
`APP ROLE CHANGE PASSWORD`	Audit App Role Change Password Event	`ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OBJECT GDR:DENY` `DATABASE OBJECT GDR:GRANT` `DATABASE OBJECT GDR:REVOKE`	Audit Database Object GDR Event	`ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE PRINCIPAL MANAGEMENT:ALTER: ROLE` `DATABASE PRINCIPAL MANAGEMENT:CREATE: ROLE` `DATABASE PRINCIPAL MANAGEMENT:DROP: ROLE`	Audit Database Principal Management Event	`ALTER` `CREATE` `DROP`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOGIN GDR:DENY` `LOGIN GDR:GRANT` `LOGIN GDR:REVOKE`	Audit Login GDR Event	`DENY` `GRANT` `REVOKE`	Any possible target type values associated with certain SQL Trace Audit Events.
`OBJECT DERIVED PERMISSION:CREATE` `OBJECT DERIVED PERMISSION:ALTER` `OBJECT DERIVED PERMISSION:DROP` `OBJECT DERIVED PERMISSION:DUMP` `OBJECT DERIVED PERMISSION:LOAD`	Audit Object Derived Permission Event	`CREATE` `ALTER` `DROP` `BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT GDR:GRANT` `SCHEMA OBJECT GDR:REVOKE` `SCHEMA OBJECT GDR:DENY`	Audit Schema Object GDR Event	`GRANT` `REVOKE` `DENY`	`OBJECT` `OBJECT` `OBJECT`
`OBJECT PERMISSION`	Audit Object Derived Permission Event	`CHECK`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OBJECT GDR:GRANT` `SERVER OBJECT GDR:REVOKE` `SERVER OBJECT GDR:DENY`	Audit Server Object GDR Event	`ALTER` `ALTER` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER SCOPE GDR:DENY` `SERVER SCOPE GDR:GRANT` `SERVER SCOPE GDR:REVOKE`	Audit Server Scope GDR Event	`DENY` `GRANT` `REVOKE`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE SCOPE GDR:GRANT` `STATEMENT GDR:REVOKE` `STATEMENT GDR:DENY`	Audit Database Scope GDR Event	`GRANT` `REVOKE` `DENY`	Any possible target type values associated with certain SQL Trace Audit Events.
`STATEMENT PERMISSION`	Audit Statement Permission Event	`VALIDATE`	Any possible target type values associated with certain SQL Trace Audit Events.

G.11 Service and Application Utilization Events

Service and application utilization events track audited application access activity.

Table G-10 lists the Microsoft SQL Server service and application utilization events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-10 SQL Server Service and Application Utilization Audit Events

Source Event	Event Description	Command Class	Target Type
`BROKER CONVERSATION:INVALID SIGNATURE` `BROKER CONVERSATION:NO CERTIFICATE` `BROKER CONVERSATION:NO SECURITY HEADER` `BROKER CONVERSATION:RUN AS TARGET FAILURE`	Audit Broker Conversation	`EXECUTE`	Any possible target type values associated with certain SQL Trace Audit Events.
`BROKER:MESSAGE UNDELIVERABLE:SEQUENCED` `BROKER:MESSAGE UNDELIVERABLE:UNSEQUENCED` `BROKER:MESSAGE UNDELIVERABLE:CORRUPTED MESSAGE`	Broker:Message Undeliverable Broker:Message Undeliverable Broker:Corrupted Message	`TRANSACTION MANAGEMENT` `TRANSACTION MANAGEMENT` `RECEIVE`	`MESSAGE` `MESSAGE` Any possible target type values associated with certain SQL Trace Audit Events.
`BROKER:ACTIVATION:ABORTED`	Broker:Activation - The activation stored procedure exited with an error.	`ABORT`	Any possible target type values associated with certain SQL Trace Audit Events.
`BROKER:QUEUE DISABLED`	Broker:Queue Disabled	`DISABLE`	Any possible target type values associated with certain SQL Trace Audit Events.
`RPC STARTED`	Remote procedure call	`EXECUTE`	DATABASE
`RPC COMPLETED`	Remote procedure call	`EXECUTE`	DATABASE

G.12 System Management Events

System management events track audited system management activity, such as backup and restore operations. Table G-11 lists the Microsoft SQL Server system management events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-11 SQL Server System Management Audit Events

Source Event	Event Description	Command Class	Target Type
`ADD DB USER:ADD` `ADD DB USER:DROP` `ADD DB USER:SP_ADDUSER` `ADD DB USER:SP_DROPUSER`	Audit Add DB User Event	`ALTER` `ALTER` `ALTER` `ALTER`	`DATABASE` `DATABASE` `DATABASE` `DATABASE`
`BACKUP/RESTORE:BACKUP` `BACKUP/RESTORE:BACKUPLOG` `BACKUP/RESTORE:RESTORE`	Audit Backup/Restore Event	`BACKUP` `BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`CHANGE DATABASE OWNER`	Audit Change Database Owner	`ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE MANAGEMENT:ALTER` `DATABASE MANAGEMENT:CREATE` `DATABASE MANAGEMENT:DROP` `DATABASE MANAGEMENT:DUMP` `DATABASE MANAGEMENT:LOAD`	Audit Database Management Event	`ALTER` `CREATE` `DROP` `BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OBJECT MANAGEMENT:ALTER` `DATABASE OBJECT MANAGEMENT:CREATE` `DATABASE OBJECT MANAGEMENT:DROP` `DATABASE OBJECT MANAGEMENT:DUMP` `DATABASE OBJECT MANAGEMENT:LOAD` `DATABASE OBJECT MANAGEMENT:OPEN`	Audit Database Object Management Event	`ALTER` `ALTER` `ALTER` `BACKUP` `RESTORE` `ALTER`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OPERATION:SUBSCRIBE TO QUERY NOTIFICATION`	Audit Database Operation Event	`SUBSCRIBE`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE PRINCIPAL MANAGEMENT:DUMP` `DATABASE PRINCIPAL MANAGEMENT:LOAD`	Audit Database Principal Management Event	`BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`DB CONSISTENCY CHECK`	Audit DBCC Event	`VERIFY`	Any possible target type values associated with certain SQL Trace Audit Events.
`SCHEMA OBJECT MANAGEMENT:DUMP` `SCHEMA OBJECT MANAGEMENT:LOAD`	Audit Schema Object Management Event	`BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OBJECT MANAGEMENT:CREATE` `SERVER OBJECT MANAGEMENT:ALTER` `SERVER OBJECT MANAGEMENT:DROP` `SERVER OBJECT MANAGEMENT:DUMP` `SERVER OBJECT MANAGEMENT:LOAD`	Audit Server Object Management Event	`ALTER` `ALTER` `ALTER` `BACKUP` `RESTORE`	`SYSTEM` `SYSTEM` `SYSTEM` Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OPERATION:ADMINISTER BULK OPERATIONS` `SERVER OPERATION:ALTER RESOURCES` `SERVER OPERATION:ALTER SERVER STATE` `SERVER OPERATION:ALTER SETTINGS` `SERVER OPERATION:AUTHENTICATE` `SERVER OPERATION:EXTERNAL ACCESS`	Audit Server Operation Event	`UPDATE` UPDATE UPDATE `UPDATE` UPDATE UPDATE	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER PRINCIPAL MANAGEMENT:DUMP: USER` `SERVER PRINCIPAL MANAGEMENT:LOAD: USER`	Audit Server Principal Management Event	`BACKUP` `RESTORE`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER STARTS AND STOPS:SHUTDOWN` `SERVER STARTS AND STOPS:STARTED` `SERVER STARTS AND STOPS:PAUSED` `SERVER STARTS AND STOPS:CONTINUE`	Audit Server Starts and Stops	`STOP` `START` `SUSPEND` `RESUME`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER STARTS AND STOPS:INSTANCE CONTINUED` `SERVER STARTS AND STOPS:INSTANCE PAUSE` `SERVER STARTS AND STOPS:INSTANCE SHUTDOWN` `SERVER STARTS AND STOPS:INSTANCE STARTED`	Audit Server Starts and Stops Event	`RESUME` `SUSPEND` `SHUTDOWN` `STARTUP`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE MIRRORING STATE CHANGE`	Database Mirroring State Change	UPDATE	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE MIRRORING CONNECTION:CONNECTING` `DATABASE MIRRORING CONNECTION:CONNECTED` `DATABASE MIRRORING CONNECTION:CONNECT FAILED` `DATABASE MIRRORING CONNECTION:CLOSING` `DATABASE MIRRORING CONNECTION:CLOSED` `DATABASE MIRRORING CONNECTION:ACCEPT` `DATABASE MIRRORING CONNECTION:SEND IO ERROR` `DATABASE MIRRORING CONNECTION:RECEIVE IO ERROR`	Database Mirroring Connection	`CONNECT` `CONNECT` `INVALID` `CLOSE` `CLOSE` `ACCEPT` `RAISE` `RECEIVE`	`DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE` `DATABASE`
`MOUNT TAPE:TAPE MOUNT CANCELLED` `MOUNT TAPE:TAPE MOUNT COMPLETE` `MOUNT TAPE:TAPE MOUNT REQUEST`	Mount Tape	`MOUNT` `MOUNT` `MOUNT`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE BULK ADMIN`	DB Bulk administration	`INSERT`	`DATABASE`

G.13 Unknown or Uncategorized Events

Unknown or uncategorized events track audited activity that cannot be categorized, such as user-created configurations.

Table G-12 Uncategorised Events

Source Event	Event Description	Command Class	Target Type
`ATTENTION`	Attention	`RAISE`	Any possible target type values associated with certain SQL Trace Audit Events.
`ERROR LOG`	ErrorLog	`WRITE`	Any possible target type values associated with certain SQL Trace Audit Events.
`EXCEPTION`	Exception	`RAISE`	Any possible target type values associated with certain SQL Trace Audit Events.
`OLEDB ERRORS`	OLEDB Errors	`RAISE`	Any from Possible Target Types Values Associated With Certain SQL Trace Audit Events
`EXECUTION WARNINGS:QUERY WAIT`	Execution warnings	`WAIT`	`QUERY`
`EXECUTION WARNINGS:QUERY TIMEOUT`	Execution warnings	`DML`	`QUERY`
`SORT WARNINGS:SINGLE PASS`	Sort Warnings	`ACCESS`	`QUERY`
`SORT WARNINGS:MULTIPLE PASS`	Sort Warnings	`ACCESS`	`QUERY`
`MISSING COLUMN STATISTICS`	Missing Column Statistics	`ACCESS`	Any possible target type values associated with certain SQL Trace Audit Events.
`MISSING JOIN PREDICATE`	Missing Join Predicate	`ACCESS`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER MEMORY CHANGE:INCREASE`	Server Memory Change	`UPDATE`	`MEMORY`
`SERVER MEMORY CHANGE:DECREASE`	Server Memory Change	`UPDATE`	`MEMORY`
`USER ERROR MESSAGE`	User Error Message	`RAISE`	Any possible target type values associated with certain SQL Trace Audit Events.
`BITMAP WARNING:DISABLED`	Bitmap Warning	`RAISE`	`WARNING`
`TRACE START`	Trace Start	`START`	Any possible target type values associated with certain SQL Trace Audit Events.
`TRACE STOP`	Trace Stop	`STOP`	Any possible target type values associated with certain SQL Trace Audit Events.
`SQL:STMTCOMPLETED`	SQL:Stmt Completed Event	`EXECUTE`	Any possible target type values associated with certain SQL Trace Audit Events.
`DBCC`	Audit DBCC Event	`EXECUTE`	Any possible target type values associated with certain SQL Trace Audit Events.
`SERVER OPERATION:ALTER SERVER STATE`	Audit Server Operation Event	`UPDATE`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOCK:DEADLOCK CHAIN:RESOURCE TYPE LOCK`	Lock:Deadlock Chain	`DEADLOCK`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:82)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:83)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:84)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:85)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:86)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:87)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:88)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:89)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:90)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
`USER CONFIGURABLE`	User Configurable (Event ID:91)	`CONFIGURE`	Any possible target type values associated with certain SQL Trace Audit Events.
NOTIFICATION SERVICE	Notification Service	RAISE	`DATABASE`
`PASSWORD POLICY`	Password Policy	UPDATE	`POLICY`

G.14 User Session Events

User session events track audited authentication events for users who log in to the database.

Table G-13 lists the Microsoft SQL Server user session events and the equivalent Oracle Audit Vault and Database Firewall events.

Table G-13 SQL Server User Session Audit Events

Source Event	Event Description	Command Class	Target Type
`BROKER LOGIN:AUTHENTICATION FAILURE` `BROKER LOGIN:LOGIN SUCCESS` `BROKER LOGIN:LOGIN PROTOCOL ERROR` `BROKER LOGIN:MESSAGE FORMAT ERROR` `BROKER LOGIN:NEGOTIATE FAILURE`	Audit Broker Login	`LOGIN` `LOGIN` `LOGIN` `LOGIN` `LOGIN`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE MIRRORING LOGIN:LOGIN SUCCESS` `DATABASE MIRRORING LOGIN:LOGIN PROTOCOL ERROR` `DATABASE MIRRORING LOGIN:MESSAGE FORMAT ERROR` `DATABASE MIRRORING LOGIN:NEGOTIATE FAILURE` `DATABASE MIRRORING LOGIN:AUTHENTICATION FAILURE` `DATABASE MIRRORING LOGIN:AUTHORIZATION FAILURE`	Audit Database Mirroring Login Event	`LOGIN`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE OPERATION:CHECKPOINT`	Audit Database Operation Event	`SAVEPOINT`	Any possible target type values associated with certain SQL Trace Audit Events.
`DATABASE PRINCIPAL IMPERSONATION`	Audit Database Principal Impersonation Event	`IMPERSONATION`	Any possible target type values associated with certain SQL Trace Audit Events.
`LOGIN:NONPOOLED` `LOGIN:POOLED` `LOGIN:FAILED` `LOGOUT:NONPOOLED` `LOGOUT:POOLED` `LOGIN FAILED:NONPOOLED` `LOGIN FAILED:POOLED`	Audit Login Audit Login Audit Login Failed Audit Logout Audit Logout Login Failed Event Login Failed Event	`LOGIN` `LOGIN` `LOGIN` `LOGOUT` `LOGOUT` `LOGIN` `LOGIN`	`USER` `USER` Any possible target type values associated with certain SQL Trace Audit Events. `USER` `USER` `USER` `USER`
`SERVER PRINCIPAL IMPERSONATION`	Audit Server Principal Impersonation Event	`IMPERSONATION`	Any possible target type values associated with certain SQL Trace Audit Events.
`SQL TRANSACTION:COMMIT` `SQL TRANSACTION:ROLLBACK` `SQL TRANSACTION:SAVEPOINT`	SQL Transaction	`COMMIT` `ROLLBACK` `SAVEPOINT`	Any possible target type values associated with certain SQL Trace Audit Events.
`TRANSACTION BEGIN COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION BEGIN STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION COMMIT COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION COMMIT STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION PROMOTE COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION PROMOTE STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION PROPAGATE COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION PROPAGATE STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION ROLLBACK COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION ROLLBACK STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION SAVEPOINT COMPLETED`	SQL Transaction	`EXECUTE`	DATABASE
`TRANSACTION SAVEPOINT STARTING`	SQL Transaction	`EXECUTE`	DATABASE
`STORAGE LOGIN`	Storage login	`LOGIN`	SERVER
`STORAGE_LOGIN_GROUP`	Storage login	`LOGIN`	SERVER

G.15 Target Type Values for SQL Trace Audit Events

Target Type values associated with certain audit events can be any from the following list. See the Audit Event tables in this Appendix for references.

G.15.1 Possible Target Types Values Associated With Certain SQL Trace Audit Events

Possible Target Type values associated with certain audit events

INDEX
PROCEDURE
TRIGGER
TABLE
VIEW
CONSTRAINT
DEFAULT
RULE
DATABASE
OBJECT
CATALOG
SCHEMA
CREDENTIAL
EVENT
FUNCTION
ROLE
GROUP
KEY
LOGIN
REMOTE SERVICE BINDING
NOTIFICATION
SYNONYM
SEQUENCE
END POINT
QUEUE
CERTIFICATE
SERVER
ASSEMBLY
PARTITION SCHEME
USER
SERVICE BROKER SERVICE CONTRACT
TYPE
SERVICE BROKER ROUTE
STATISTICS
SERVICE BROKER SERVICE
CERTIFICATE LOGIN
QUERY
RESOURCE GOVERNOR
DATABASE CONFIGURATION
EXTERNAL LIBRARY
EXTERNAL RESOURCE POOL
EXTERNAL SCRIPT QUERY