I Microsoft SQL Server SQL Audit and Event Log Events
Microsoft SQL Server SQ audit events cover categories such as account management events and application management events.
I.1 SQL Audit Events
SQL Audit Events map server-level, database-level groups of events and individual events.
The Audit action items can be individual actions such as SELECT
operations on a Table, or a group of actions such as SERVER_PERMISSION_CHANGE_GROUP
.
SQL Audit Events track the following three categories of Events:
-
Server Level: These actions include server operations, such as management changes, and logon and logoff operations.
-
Database Level: These actions include data manipulation languages (DML) and Data Definition Language (DDL).
-
Audit Level: These actions include actions in the auditing process.
Note:
In the table below the Target Type can be anything from Possible Target Types Values Associated With SQL Audit and Event Log Events.
Table I-1 SQL Audit Events
Source Event | Event Description | Command Class |
---|---|---|
|
Database Role Member Change Group |
|
|
Backup Log |
|
|
Alter Resources |
|
|
Delete |
|
|
Broker Login |
|
|
Logout Group |
|
|
Must Change Password |
|
|
Drop Member |
|
|
Deny |
|
|
Send |
|
|
Select |
|
|
Server Continue |
|
|
Server Operation Group |
|
|
Insert |
|
|
Execute |
|
|
Show Plan |
|
|
Successful Login Group |
|
|
Server Role Member Change Group |
|
|
Alter Trace |
|
|
Credential Map to Login |
|
|
Full Text |
|
|
Trace Audit C2On |
|
|
Bulk Admin |
|
|
Trace Audit C2Off |
|
|
View Server State |
|
|
Schema Object Access Group |
|
|
Alter Connection |
|
|
Alter Settings |
|
|
Alter Server State |
|
|
External Access Assembly |
|
|
Open |
|
|
Audit Shutdown On Failure |
|
|
Audit Session Changed |
|
|
Backup Restore Group |
|
|
Server Object Ownership Change Group |
|
|
Authenticate |
|
|
Database Ownership Change Group |
|
|
References |
|
|
Server Started |
|
|
Database Object Ownership Change Group |
|
|
Schema Object Permission Change Group |
|
|
Impersonate |
|
|
Create |
|
|
Server State Change Group |
|
|
Take Ownership |
|
|
Transfer |
|
|
Change Users Login Auto |
|
|
Add Member |
|
|
View ChangeTracking |
|
|
Login Failed |
|
|
Database Principal Change Group |
|
|
Database Object Change Group |
|
|
Database Mirroring Login Group |
|
|
Alter |
|
|
Password Expiration |
|
|
Update |
|
|
Name Change |
|
|
Logout |
|
|
Login Succeeded |
|
|
Database Change Group |
|
|
Login Change Password Group |
|
|
Reset Own Password |
|
|
Change Users Login |
|
|
Trace Change Group |
|
|
Failed Login Group |
|
|
Trace Audit Stop |
|
|
Revoke |
|
|
Change Own Password |
|
|
Change Login Credential |
|
|
Receive |
|
|
Audit Change Group |
|
|
Change Default Language |
|
|
Change Password |
|
|
Restore |
|
|
Database Mirroring Login |
|
|
Revoke with Cascade |
|
|
Drop |
|
|
Server Object Change Group |
|
|
View Database State |
|
|
Server Principal Change Group |
|
|
Unlock Account |
|
|
Fulltext Group |
|
|
Enable |
|
|
Password Policy |
|
|
Revoke With Grant |
|
|
Database Principal Impersonation Group |
|
|
Reset Password |
|
|
Subscribe Query Notification |
|
|
Server Principal Impersonation Group |
|
|
Application Role Change Password Group |
|
|
Trace Audit Start |
|
|
Database Object Permission Change Group |
|
|
Server Paused |
|
|
Database Operation Group |
|
|
Access |
|
|
Database Permission Change Group |
|
|
Unsafe Assembly |
|
|
Deny with Cascade |
|
|
DBCC Group |
|
|
Broker Login Group |
|
|
Checkpoint |
|
|
Server Shutdown |
|
|
No Credential Map to Login |
|
|
Schema Object Change Group |
|
|
Connect |
|
|
Grant with Grant |
|
|
Change Default Database |
|
|
Disable |
|
|
Schema Object Ownership Change Group |
|
|
Grant |
|
|
Server Permission Change Group |
|
|
Server Object Permission Change Group |
|
|
Database Object Access Group |
|
|
DBCC |
|
|
Backup |
|
|
|
|
|
|
|
|
|
|
See Also:
Possible Target Types Values Associated With SQL Audit and Event Log Events for the Target Type.
I.2 Event Log Events
Event Log Events help you audit server-level, database-level and individual events.
These events consist of zero or more audit action items which can be either a group of actions (DATABASE_MIRRORING_LOGIN_GROUP
) or individual actions (SELECT
or REVOKE
).
The Event Log Events track the following three categories of events.
-
Server Level: These actions include server operations such as management changes, and logon and logoff operations.
-
Database Level: These actions include data manipulation (DML) languages and Data Definition Language (DDL).
-
Audit Level: These actions include actions in the auditing process.
Table I-2 Event Log Events
Source Events | Event Description | Command Class | Target Type |
---|---|---|---|
|
OP Alter Trace: Stop |
|
|
|
OP Alter Trace: Start (Event ID: 19033) |
|
|
|
OP Alter Trace: Start (Event ID: 19034) |
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18450) |
|
|
|
Login Failed: Only Administrators Can Connect At This Time (Event ID: 18451) |
|
|
|
Login Failed: Untrusted Domain |
|
|
|
Login Succeeded: Trusted |
|
|
|
Login Succeeded: Non-Trusted |
|
|
|
Login Succeeded |
|
|
|
Login Failed |
|
|
|
Login Failed: Illegal User Name |
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
Login Failed: Workstation Licensing Limit |
|
|
|
Login Failed: Simultaneous License Limit |
|
|
|
Login Failed: Server in Single User Mode |
|
|
|
Login Failed: Account Disabled |
|
|
|
Login Failed: Account Locked |
|
|
|
Login Failed: Password Expired |
|
|
|
Login Failed: Password Must Be Changed |
|
|
|
OP Error: Server Shut Down |
|
|
|
OP Error: Mirroring Error |
|
|
|
OP Error: Stack Over Flow |
|
|
|
OP Error: Commit |
|
|
|
OP Error: Rollback |
|
|
|
OP Error: DB Offline |
|
|
|
OP Error: Process Violation |
|
|
|
OP Error: Restore Failed |
|
|
|
OP Error: Recover |
|
|
|
OP Error: .NET Fatal Error |
|
|
|
OP Error: .NET User Code |
|
|
|
Notification Service |
|
|
|
Password Policy Update Successful |
|
|
|
OP Modify: Start |
|
|
|
OP Modify: Stop |
|
|
I.3 Target Type Values for SQL Audit and Event Log Events
Target Type values associated with certain audit events
These can be any from the following list. See the Audit Event tables in this Appendix for references.
I.4 Possible Target Types Values Associated With SQL Audit and Event Log Events
The possible target type values can be types such as constraints.
Possible Target Types | Class_Type |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AL |
|
|
Undocumented |
AP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|