SQL Server Audit Log Purging and Archival

SQL Server audit log purging depends on the type of output you select in the Audit object. If you send audit events to the Windows Application or Security log then your SQL audit data will be subject to whatever event log settings are configured on that event log. On the other hand if you output audit events in binary log file format you can also choose how large audit files should grow before rolling over to a new file, how many files to keep before SQL Server starts deleting old audit logs and even whether to reserve disk space in advance for these audit files.

But, commonly accepted best practice mandates that log files should be removed from the system where they are generated and that includes outside the control of the system that generates them so we do not recommend that the file patch you specify above serve as any kind of permanent resting place for audit logs. Instead this audit data should be collected into your centralized log management/SIEM archive.

And that is one of the functions facilitated by my LOGbinder for SQL Server collector.


Additional Resources