Security, et al

Randy's Blog on Infosec and Other Stuff

«  Making the SharePoint Aud... | Venue Announced for Secur... »

Understanding Audit Logging in SQL Server 2008 - 2/18/10 12PM US Eastern Time

Tue, 12 Jan 2010 12:08:11 GMT

With 2008, SQL Server finally has a real audit log capability.  It’s flexible, high performance and can report its events directly to the Windows Security Event Log which means you can leverage the security and integrity of the security log AND take advantage of whatever log management solution you currently use to collect, monitor and report server logs.

Now you can audit changes to SQL server configuration and objects as well as commands executed against tables such as Select, Update, Delete and Insert.  SQL Server 2008 auditing produces an audit log not a transaction log.  That means you can audit any command and or other action in SQL Server but the audit log does not record before and after images of the actual data table rows.  Again, it’s an audit log – not a transaction log. 

Similar to Windows auditing, SQL Server 2008 auditing allows you to define which SQL server objects and actions you which to audit and you can limit audited activity to specific users or roles.  When you enable auditing you can choose to send audit events to either binary SQL audit log files in a specified folder or to the Application or Security event logs.  For obvious security and log management reasons I recommend the security log.  I wish Microsoft had used different event IDs for each audit event but all SQL Server audit events show up as event ID 33205 so that means you have to look in the event details for any and all particulars about the event. 

The new SQL commands for auditing include:

·        CREATE SERVER AUDIT

·        CREATE SERVER AUDIT SPECIFICATION

·        CREATE DATABASE AUDIT SPECIFICATION

In this real training webinar I will explain those commands and show you how to setup SQL Server auditing to report events to the Security log.  Then I will demonstrate a number of audit scenarios for tracking things like:

·        Permission changes

·        Login and role changes

·        Login failures

·        Commands against specific tables like SELECT and UPDATE

This real training webinar is not free.  For specialized topics where finding a sponsor is not practical I’m trying out a new paid model.  The fee is low and there is no sponsor presentation; your information will not be shared with anyone.  It’s all deep, technical training.  To register please click here.

email this digg reddit dzone
comments (0)references (0)

Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
5 Indicators of Endpoint Evil
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Additional Resources