Server Audit Specification

A Server Audit Specification defines which Audit Action Groups will be audited for the entire server (or "instance"). Some audit action groups comprise server level actions like the creation of a database or modification of a server role and hence are only applicable to the server itself. Other action groups are applicable at the database level but can be included in a server audit specification so that those actions are audited on all databases - even new ones created the future.

Besides selecting action groups you must give the server audit specification a name and choose which Audit object it will be associated. Events generated by this audit specification will be logged according to the options in the associated Audit. In other words if you add the FAILED_LOGIN_GROUP to your server audit specification and then assign it to an Audit that defines \\server\share as the file destination, the failed login events will be written to log files at that destination along with events from any other audit specifications tied to that audit object.

After creating a server audit specification you must enable it before SQL Server will begin logging events indicated by the action groups you selected. Before you can modify an audit specification you must disable it. No more events will be generated by the specification until you reenable it.

Even though you see columns in the dialog below for object and principal information, they are not used for server audit specifications; the action groups you choose are audited for all applicable objects and regardless of who performs the operation. In fact action group audit rules are never scoped down by object or principal. Only audit action rules specified for certain commands in database audit specifications are scoped by object and principal.

SQL Server Management Studio provides full GUI access to administering server audit specifications but you may also use these Transact-SQL commands:

CREATE SERVER AUDIT SPECIFICATION
ALTER SERVER AUDIT SPECIFICATION
DROP SERVER AUDIT SPECIFICATION

LOGbinder provides a free tool to help you implement audit policy through a step-by-step interface: SQL Audit Policy Wizard.

Upcoming Webinars

The Advantages and Limitations of MFA: A Look into Common Bypass Techniques and Security Counter Measures

Additional Resources

Audit Policy

•	Server Audit Specification
•	Database Audit Specification
•	Audit Action Groups
•	Audit Actions
•	Audit Policy Wizard

User name:
Password:
	/ Forgot?
	Register

May 2024 Patch Tuesday	"Patch Tuesday - A few zero days and a fix introduced by last months patches " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.