当前位置:首页 > 数据库 > MSSQL教程 > 关于MSSQL audit记录1 > 正文

关于MSSQL audit记录1

来源:这里教程网 时间:2026-03-02 11:12:28 作者:

点击(此处)折叠或打开

    -----创建审核对象之前需要切换到master数据库
         --USE [master]
     --GO
     --CREATE SERVER AUDIT MyAudit TO FILE(FILEPATH='D:\SqlAudits') --这里指定文件夹不能指定文件,生成文件都会保存在这个文件夹
     --GO
     --实际上,我们在创建审核对象的同时可以指定审核选项,下面是相关脚本
     --把日志放在磁盘的好处是可以使用新增的TVF:sys.[fn_get_audit_file] 来过滤和排序审核数据,如果把审核数据保存在Windows 事件日志里查询起来非常麻烦
     USE [master]
     GO
     CREATE SERVER AUDIT MyAudit TO FILE(
     FILEPATH='D:\SqlAudits',
     MAXSIZE=2GB,
     MAX_ROLLOVER_FILES=12)
    WITH (
     ON_FAILURE=CONTINUE,
     QUEUE_DELAY=1000);
     ALTER SERVER AUDIT MyAudit WITH(STATE =ON)
     --MAXSIZE:指明每个审核日志文件的最大大小是4GB
     --MAX_ROLLOVER_FILES:指明滚动文件数目,类似于SQL ERRORLOG,达到多少个文件之后删除前面的历史文件,这里是6个文件
     --ON_FAILURE:指明当审核数据发生错误时的操作,这里是继续进行审核,如果指定shutdown,那么将会shutdown整个实例
     --queue_delay:指明审核数据写入的延迟时间,这里是1秒,最小值也是1秒,如果指定0表示是实时写入,当然性能也有一些影响
     --STATE:指明启动审核功能,STATE这个选项不能跟其他选项共用,所以只能单独一句
     --在修改审核选项的时候,需要先禁用审核,再开启审核
     --ALTER SERVER AUDIT MyFileAudit WITH(STATE =OFF)
     --ALTER SERVER AUDIT MyFileAudit WITH(QUEUE_DELAY =1000)
     --ALTER SERVER AUDIT MyFileAudit WITH(STATE =ON)

    USE [T_restore]
     GO
     CREATE DATABASE AUDIT SPECIFICATION CaptureDBActionToEventLog
     FOR SERVER AUDIT MyAudit
     ADD (database_object_change_group),
     ADD (INSERT,UPDATE,DELETE ON schema::dbo BY PUBLIC)
     WITH (STATE =ON)
     --我们先在D盘创建sqldbaudits文件夹
     --第一个操作组对数据库中所有对象的DDL语句create,alter,drop等进行记录
     --第二个语句监视由任何public用户(也就是所有用户)对dbo架构的任何对象所做的DML操作
      

the following sql show how to read the bitry audt file

点击(此处)折叠或打开

    SELECT [event_time] AS '触发审核的日期和时间' ,
                 sequence_number AS '单个审核记录中的记录顺序' ,
             action_id AS '操作的 ID' ,
             succeeded AS '触发事件的操作是否成功' ,
             permission_bitmask AS '权限掩码' ,
             is_column_permission AS '是否为列级别权限' ,
             session_id AS '发生该事件的会话的 ID' ,
             server_principal_id AS '执行操作的登录上下文 ID' ,
             database_principal_id AS '执行操作的数据库用户上下文 ID' ,
             target_server_principal_id AS '执行 GRANT/DENY/REVOKE 操作的服务器主体' ,
             target_database_principal_id AS '执行 GRANT/DENY/REVOKE 操作的数据库主体' ,
             object_id AS '发生审核的实体的 ID(服务器对象,DB,数据库对象,架构对象)' ,
             class_type AS '可审核实体的类型' ,
             session_server_principal_name AS '会话的服务器主体' ,
             server_principal_name AS '当前登录名' ,
             server_principal_sid AS '当前登录名 SID' ,
             database_principal_name AS '当前用户' ,
             target_server_principal_name AS '操作的目标登录名' ,
             target_server_principal_sid AS '目标登录名的 SID' ,
             target_database_principal_name AS '操作的目标用户' ,
             server_instance_name AS '审核的服务器实例的名称' ,
             database_name AS '发生此操作的数据库上下文' ,
             schema_name AS '此操作的架构上下文' ,
             object_name AS '审核的实体的名称' ,
             statement AS 'TSQL 语句(如果存在)' ,
             additional_information AS '单个事件的唯一信息,以 XML 的形式返回' ,
             file_name AS '记录来源的审核日志文件的路径和名称' ,
             audit_file_offset AS '包含审核记录的文件中的缓冲区偏移量' ,
             user_defined_event_id AS '作为 sp_audit_write 参数传递的用户定义事件 ID' ,
             user_defined_information AS '于记录用户想要通过使用 sp_audit_write 存储过程记录在审核日志中的任何附加信息'
     FROM sys.[fn_get_audit_file]('D:\SqlAudits\MyAudit_1FE965A7-77D0-41A6-9D40-543162C722F2_0_131447450891790000.sqlaudit',
                                     DEFAULT, DEFAULT)



{color:red}* how to change the audit actions{color}


--each time diable the audit before you chagne anything
{code:sql}
use datayesdb
go
alter DATABASE AUDIT SPECIFICATION CaptureDBActionToEventLog with  (STATE =OFF)
use master 
ALTER SERVER AUDIT MyAudit WITH(STATE =OFF)
{code}
--switch to user db and change your audit actions
{code:Sql}
use datayesdb
go


alter DATABASE AUDIT SPECIFICATION CaptureDBActionToEventLog 
FOR SERVER AUDIT MyAudit
Drop (INSERT,UPDATE,DELETE ON schema::dbo   BY PUBLIC),
Add (UPDATE,DELETE ON schema::dbo   BY PUBLIC)
alter DATABASE AUDIT SPECIFICATION CaptureDBActionToEventLog WITH (STATE =ON)
{code}
--select the detail into from database_audit_specification_details for verification
{code:sql}select * from sys.database_audit_specification_details
{code}}
database_specification_id audit_action_id audit_action_name                                            class class_desc                                                   major_id    minor_id    audited_principal_id audited_result                                               is_group
------------------------- --------------- ------------------------------------------------------------ ----- ------------------------------------------------------------ ----------- ----------- -------------------- ------------------------------------------------------------ --------
65536                     MNDO            DATABASE_OBJECT_CHANGE_GROUP                                 0     DATABASE                                                     0           0           0                    SUCCESS AND FAILURE                                          1
65536                     DL              DELETE                                                       3     SCHEMA                                                       1           0           0                    SUCCESS AND FAILURE                                          0
65536                     UP              UPDATE                                                       3     SCHEMA                                                       1           0           0                    SUCCESS AND FAILURE                                          0


(3 行受影响)




--the following script will help you get the audit records
{code:sql}
use datayesdb
gp


SELECT CONVERT(datetime,SWITCHOFFSET(CONVERT(datetimeoffset, event_time),DATENAME(TzOffset, SYSDATETIMEOFFSET()))) AS event_time,
'触发审核的日期和时间' ,
        sequence_number AS '单个审核记录中的记录顺序' ,
        action_id AS '操作的 ID' ,
        succeeded AS '触发事件的操作是否成功' ,
        permission_bitmask AS '权限掩码' ,
        is_column_permission AS '是否为列级别权限' ,
        a.session_id AS '发生该事件的会话的 ID' ,
        server_principal_id AS '执行操作的登录上下文 ID' ,
        database_principal_id AS '执行操作的数据库用户上下文 ID' ,
        target_server_principal_id AS '执行 GRANT/DENY/REVOKE 操作的服务器主体' ,
        target_database_principal_id AS '执行 GRANT/DENY/REVOKE 操作的数据库主体' ,
        object_id AS '发生审核的实体的 ID(服务器对象,DB,数据库对象,架构对象)' ,
        class_type AS '可审核实体的类型' ,
        session_server_principal_name AS '会话的服务器主体' ,
        server_principal_name AS '当前登录名' ,
        server_principal_sid AS '当前登录名 SID' ,
        database_principal_name AS '当前用户' ,
        target_server_principal_name AS '操作的目标登录名' ,
        target_server_principal_sid AS '目标登录名的 SID' ,
        target_database_principal_name AS '操作的目标用户' ,
        server_instance_name AS '审核的服务器实例的名称' ,
        database_name AS '发生此操作的数据库上下文' ,
        schema_name AS '此操作的架构上下文' ,
        object_name AS '审核的实体的名称' ,
        statement AS 'TSQL 语句(如果存在)' ,
        additional_information AS '单个事件的唯一信息,以 XML 的形式返回' ,
        file_name AS '记录来源的审核日志文件的路径和名称' ,
        audit_file_offset AS '包含审核记录的文件中的缓冲区偏移量' ,
        user_defined_event_id AS '作为 sp_audit_write 参数传递的用户定义事件 ID' ,
        user_defined_information AS '于记录用户想要通过使用 sp_audit_write 存储过程记录在审核日志中的任何附加信息',
b.CLIENT_NET_ADDRESS AS 'ClientIPAddress'
FROM   sys.[fn_get_audit_file]('D:\SqlAudits\*.sqlaudit',
                                DEFAULT, DEFAULT) a left join SYS.DM_EXEC_CONNECTIONS b
on a.session_id=b.session_id
where event_time between 
dateadd(mi, -10,event_time) and event_time
{code}

--you can get the audit file path and detail info with the following scipt
select * from sys.server_file_audits



--create procedure
-- ================================================
-- Template generated from Template Explorer using:
-- Create Procedure (New Menu).SQL
--
-- Use the Specify Values for Template Parameters 
-- command (Ctrl-Shift-M) to fill in the parameter 
-- values below.
--
-- This block of comments will not be included in
-- the definition of the procedure.
-- ================================================
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
-- =============================================
-- Author:
-- Create date:
-- Description:
-- =============================================
CREATE PROCEDURE audit_record
@i int = 10 
AS
BEGIN
/****** Script for SelectTopNRows command from SSMS  ******/
insert into [MyAudit].[dbo].[Audit_DYDB_UPDL]
( [event_time]
      ,[sequence_number]
      ,[action_id]
      ,[succeeded]
      ,[permission_bitmask]
      ,[is_column_permission]
      ,[session_id]
      ,[server_principal_id]
      ,[database_principal_id]
      ,[target_server_principal_id]
      ,[target_database_principal_id]
      ,[object_id]
      ,[class_type]
      ,[session_server_principal_name]
      ,[server_principal_name]
      ,[server_principal_sid]
      ,[database_principal_name]
      ,[target_server_principal_name]
      ,[target_server_principal_sid]
      ,[target_database_principal_name]
      ,[server_instance_name]
      ,[database_name]
      ,[schema_name]
      ,[object_name]
      ,[statement]
      ,[additional_information]
      ,[file_name]
      ,[audit_file_offset]
      ,[user_defined_event_id]
      ,[user_defined_information]
      ,[CLIENT_NET_ADDRESS])
 SELECT CONVERT(datetime,SWITCHOFFSET(CONVERT(datetimeoffset, event_time),DATENAME(TzOffset, SYSDATETIMEOFFSET()))) AS '触发审核的日期和时间' ,
--b.connect_time,
        sequence_number AS '单个审核记录中的记录顺序' ,
        action_id AS '操作的 ID' ,
        succeeded AS '触发事件的操作是否成功' ,
        permission_bitmask AS '权限掩码' ,
        is_column_permission AS '是否为列级别权限' ,
        a.session_id AS '发生该事件的会话的 ID' ,
        server_principal_id AS '执行操作的登录上下文 ID' ,
        database_principal_id AS '执行操作的数据库用户上下文 ID' ,
        target_server_principal_id AS '执行 GRANT/DENY/REVOKE 操作的服务器主体' ,
        target_database_principal_id AS '执行 GRANT/DENY/REVOKE 操作的数据库主体' ,
        object_id AS '发生审核的实体的 ID(服务器对象,DB,数据库对象,架构对象)' ,
        class_type AS '可审核实体的类型' ,
        session_server_principal_name AS '会话的服务器主体' ,
        server_principal_name AS '当前登录名' ,
        server_principal_sid AS '当前登录名 SID' ,
        database_principal_name AS '当前用户' ,
        target_server_principal_name AS '操作的目标登录名' ,
        target_server_principal_sid AS '目标登录名的 SID' ,
        target_database_principal_name AS '操作的目标用户' ,
        server_instance_name AS '审核的服务器实例的名称' ,
        database_name AS '发生此操作的数据库上下文' ,
        schema_name AS '此操作的架构上下文' ,
        object_name AS '审核的实体的名称' ,
        statement AS 'TSQL 语句(如果存在)' ,
        additional_information AS '单个事件的唯一信息,以 XML 的形式返回' ,
        file_name AS '记录来源的审核日志文件的路径和名称' ,
        audit_file_offset AS '包含审核记录的文件中的缓冲区偏移量' ,
        user_defined_event_id AS '作为 sp_audit_write 参数传递的用户定义事件 ID' ,
        user_defined_information AS '于记录用户想要通过使用 sp_audit_write 存储过程记录在审核日志中的任何附加信息',
b.CLIENT_NET_ADDRESS AS 'ClientIPAddress' --into MyAudit..Audit_DYDB_UPDL
FROM   sys.[fn_get_audit_file]('D:\SqlAudits\*.sqlaudit',
                                DEFAULT, DEFAULT) a left join SYS.DM_EXEC_CONNECTIONS b
on a.session_id=b.session_id
where 
CONVERT(datetime,SWITCHOFFSET(CONVERT(datetimeoffset, event_time),DATENAME(TzOffset, SYSDATETIMEOFFSET()))) between dateadd(mi, -@i,getdate()) and getdate()


END
GO

------------------------------------------
--create job
USE [msdb]
GO
DECLARE @jobId BINARY(16)
EXEC  msdb.dbo.sp_add_job @job_name=N'DBA_Audit_10min', 
@enabled=1, 
@notify_level_eventlog=0, 
@notify_level_email=2, 
@notify_level_netsend=2, 
@notify_level_page=2, 
@delete_level=0, 
@description=N'record the audit each 10 min', 
@category_name=N'[Uncategorized (Local)]', 
@owner_login_name=N'dba_monitor', @job_id = @jobId OUTPUT
select @jobId
GO
EXEC msdb.dbo.sp_add_jobserver @job_name=N'DBA_Audit_10min', @server_name = N'SH-DM-DB04'
GO
USE [msdb]
GO
EXEC msdb.dbo.sp_add_jobstep @job_name=N'DBA_Audit_10min', @step_name=N'DBA_audit_record_10', 
@step_id=1, 
@cmdexec_success_code=0, 
@on_success_action=1, 
@on_fail_action=2, 
@retry_attempts=0, 
@retry_interval=0, 
@os_run_priority=0, @subsystem=N'TSQL', 
@command=N'MyAudit..audit_record 10', 
@database_name=N'datayesdb', 
@flags=0
GO
USE [msdb]
GO
EXEC msdb.dbo.sp_update_job @job_name=N'DBA_Audit_10min', 
@enabled=1, 
@start_step_id=1, 
@notify_level_eventlog=0, 
@notify_level_email=2, 
@notify_level_netsend=2, 
@notify_level_page=2, 
@delete_level=0, 
@description=N'record the audit each 10 min', 
@category_name=N'[Uncategorized (Local)]', 
@owner_login_name=N'dba_monitor', 
@notify_email_operator_name=N'', 
@notify_netsend_operator_name=N'', 
@notify_page_operator_name=N''
GO
USE [msdb]
GO
DECLARE @schedule_id int
EXEC msdb.dbo.sp_add_jobschedule @job_name=N'DBA_Audit_10min', @name=N'DBA_audit_10', 
@enabled=1, 
@freq_type=4, 
@freq_interval=1, 
@freq_subday_type=4, 
@freq_subday_interval=10, 
@freq_relative_interval=0, 
@freq_recurrence_factor=1, 
@active_start_date=20170719, 
@active_end_date=99991231, 
@active_start_time=0, 
@active_end_time=235959, @schedule_id = @schedule_id OUTPUT
select @schedule_id
GO


点击(此处)折叠或打开

    USE [master]
    GO
    CREATE SERVER AUDIT SPECIFICATION [MyAudit_login]
     FOR SERVER AUDIT [MyAudit]
     ADD (SUCCESSFUL_LOGIN_GROUP)
    GO
    ALTER SERVER AUDIT SPECIFICATION [MyAudit_login] WITH(STATE =ON)


编辑推荐:

相关推荐

最新软件资讯

SQL Server Database 维护计划创建一个完整的备份策略
SQL Server Database 维护计划创建一个完整的备份策略

热文推荐

天极热推