Auditing solutions are built to enable
retrospective analysis of user activity. SQL Server 2008 introduces a
number of enhancements in this regard, which will be the focus of this
section. We'll begin with coverage of the new SQL Server Audit feature
before looking at DDL and logon triggers. We'll finish with a brief look
at another new feature in SQL Server 2008, Change Data Capture.
1. SQL Server Audit
In SQL Server 2005 and earlier, auditing options
consisted of simple server-level logon success/failure logging, custom
audits using server-side traces or SQL Profiler, or the C2 trace option.
What was missing was a more granular auditing option whereby a custom
audit trace could be easily created that captured specific events such
as executing DBCC commands.
In addition to all of the auditing options in
2005, SQL Server 2008 introduces a comprehensive new auditing model that
addresses the need to easily create granular audit specifications. The
new Audit feature in SQL Server 2008 consists of three main components:
An audit,
which specifies the location of the audit output (file, application, or
security event log), an option to shut down SQL Server if the audit
can't be written, and a queue delay setting that specifies the number of
milliseconds that can pass before audit actions are processed
Server audit specifications, which contain definitions of server-level audit events such as server logins
Database audit specifications, which contain definitions of database level events such as schema modifications
Let's walk through an example of creating an
audit solution using SQL Server Management Studio. The first step is to
create an audit. First right-click on Audits under Security and choose
New Audit. As shown in figure 1,
the Create Audit screen lets you specify various properties, including
the file path if the audit destination is file based. As with most other
parts of Management Studio, use the Script button to save the creation
script for later inspection.
Both server and database audit specifications
are created in the context of a matching audit. The audit events
collected are sent to the Audit object, and written to either file or
the event log, as defined in the Audit object.
Known as audit action groups,
both server- and database-level audit specifications have a wide
variety of audit actions that can be captured. Let's continue by
defining a server audit specification. SQL Server BOL contains a full
list of all possible server-level audit actions that can be chosen. For
this example, let's create a specification that will capture the
execution of any DBCC command. We can do this in Management Studio by
right-clicking Server Audit Specifications under Security and choosing
New Server Audit Specification. In the Create Server Audit Specification
screen, shown in figure 2,
select the audit we created earlier, and then choose DBCC_GROUP from
the Audit Action Type drop-down box. If necessary, we can choose
multiple audit actions.
The nice thing about auditing in SQL Server 2008
is that the database-level audit specifications are defined within the
database itself. What this means is that if the database is moved from
one server to another, the database-level audit specification will move
to the new server. When attached to the new server, the audit
specification will be orphaned until you use the ALTER DATABASE AUDIT SPECIFICATION command to reassign it to the new server's Audit object.
Let's expand our audit by including a
database-level audit specification. We'll do this for the AdventureWorks
database by expanding it and right-clicking the Database Audit
Specifications option under Security and choosing New Database Audit
Specification. The Create Database Audit Specification screen is similar
to the one for the server-level specification, as you can see in figure 3.
Again, we'll select the audit created earlier and then select from the
options in the Audit Action Type drop-down box. In this example, we'll
select the DATABASE_ROLE_MEMBER_CHANGE_GROUP option, which will audit
events involving logins being added to or removed from a database role.
Once our audit action groups are defined, we can
start the audit by right-clicking on it and selecting Enable Audit. The
next step is to select the Server and Database Audit specifications,
again by right-clicking on them and choosing Enable. Viewing audit data
is as simple as right-clicking the audit specification and choosing View
Audit Logs. Alternatively, if the audit events are directed to the
Windows event logs, you can read them directly by using the event log
viewing tools.
In our example, after running a DBCC command and
adding a login to a database role, viewing the audit logs will reveal a
screen like the one in figure 4. Although our example was a simple one, it reveals the ease with which granular auditing specifications can be created.
You can use the new Audit feature to create
granular audits at both a server and database level as needed to match
your organization's custom auditing requirements. In comparison to other
auditing options such as the C2 audit mode (described in SQL Server
BOL), it offers a much more flexible option, while enabling powerful
features such as portability of database audit specifications when
transferred between servers.
Let's look at another feature that can be employed as part of a custom auditing solution: DDL triggers.
