In order to audit server-level
information, then you have to create a server audit specification. A
server audit specification consists of server-level action groups. The server audit
specifications are tracked across the entire instance of SQL Server.
There are not any boundaries within the SQL Server instance. Because of
this lack of boundaries, you cannot filter down to specific databases
within server audits. To create a server audit specification, use the
syntax in Listing
1.
Example 1. Syntax for
Creating a Server Audit Specification
CREATE SERVER AUDIT SPECIFICATION audit_specification_name
FOR SERVER AUDIT audit_name
ADD (audit_action_group_name ), ...n,
WITH ( STATE= ON|OFF)
|
To create the server audit
specification, you have to specify which SQL Server audit to associate
the server audit specification to. Once you assign the server
specification to the server audit, then you add the server-level audit_action_group name to the server audit specification. Once
you have added all of the server-level audit_action_group names that you want to monitor, determine if you
want to enable the audit during creation. If you don't, then you must
enable it when you are ready to capture the actions in the audit.
1. Server-Level
Action Groups
Server-level action
groups are the predefined groups used to audit your server from a server
perspective. Since server-level action groups are predefined, then you
can't customize the actions that each group captures. The only level of
customization you have for a server-level audit comes from deciding
which server-level action groups you add to an audit.
There are a large number of
server-level actions groups, so we won't be able to discuss them all
here. However, we list some of the server-level action groups that we
frequently like to use for our server audits.
Successful_Login_Group: Tracks successful principal logins into the
instance of SQL Server.
Failed_Login_Group:
Identifies unsuccessful principal failures against the instance of SQL
Server.
Server_Role_Member_Change_Group: Captures the addition and removal of logins
from fixed server roles.
Database_Role_Member_Change_Group: Tracks the addition and removal of logins to
database roles.
Server_Object_Change_Group: Captures create, alter, or drop
permissions on server objects.
Server_Principal_Change_Group: Tracks the creation, deletion, or alteration
of server principals.
Database_Change_Group: Identifies the creation, alteration, or
deletion of databases.
Database_Object_Change_Group: Captures create, alter, or delete actions
against objects within a database.
Database_Principal_Change_Group: Tracks the creation, modification, or deletion
of database principals.
Server_Permission_Change_Group:
Identifies when principals grant, revoke, or deny permissions to server
objects.
Database_Object_Permission_Change_Group:
Captures grant, revoke, or deny permission changes to database objects.
As you can see,
server-level audit action groups of SQL Server Audit allow you to
monitor a number of actions that occur from a server level. Please
review SQL Server Books Online and search for "SQL Server Audit Action
Groups and Actions" for a complete list of the groups. Understanding the
available options enables you to capture the relevant actions in your
environment. If you do not know what is available to monitor, then
chances are good you will miss something that could have saved you time
when trying to identify the cause of a problem.
Listing 2 shows an example of creating a
server audit specification with server-level audit action groups.
Example 2. SQL Code That
Creates a Server Audit Specification
CREATE SERVER AUDIT SPECIFICATION serverSpec
FOR SERVER AUDIT exampleAudit
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP)
GO
|
2. Testing Your
Server Audit Specification
Now that you understand
how to create a SQL Server audit and add server audit specifications,
let's create an example to demonstrate how the server audit
specification works with SQL Server audits. Listing 3 creates a SQL Server audit and adds a
server audit specification; it also contains code that causes the audit
to fire.
Example 3. SQL Script
That Creates a SQL Server Audit and Server Audit Specification
USE master;
GO
-- Create the server audit
CREATE SERVER AUDIT permissionChanges
TO FILE ( FILEPATH = 'C:\',MAXSIZE = 1 GB)
WITH( ON_FAILURE = CONTINUE)
GO
-- Create the server audit specification
CREATE SERVER AUDIT SPECIFICATION serverPermissionChanges
FOR SERVER AUDIT permissionChanges
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (SERVER_PERMISSION_CHANGE_GROUP),
ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP)
GO
-- Turn the audit and server audit specification ON
ALTER SERVER AUDIT permissionChanges
WITH (STATE = ON)
GO
ALTER SERVER AUDIT SPECIFICATION serverPermissionChanges
WITH (STATE = ON)
GO
-- Creates actions that the audit will pick up
CREATE LOGIN auditTest
WITH PASSWORD = 'Test123!'
GO
EXEC sp_addsrvrolemember auditTest, sysadmin
GO
EXEC sp_dropsrvrolemember auditTest,sysadmin
GO
EXEC sp_addsrvrolemember auditTest, serveradmin
GO
EXEC sp_addsrvrolemember auditTest, processAdmin
|
To review the contents of the
audit, use the fn_get_audit_file
function. The following code allows you to see the results of Listing 3. The results of the preceding
query are shown in Figure 1.
USE master;
GO
SELECT event_time,server_principal_name, object_name, statement,*
FROM fn_get_audit_file ('C:\perm*',NULL, NULL)
