1). 在所有服务器上创建审计日志目录D:\audit\mssql,下面创建的审计日志需要占用10G的空间。
mkdir D:\audit\mssql
2). 在数据库上创建审计
USE [master]
GO
CREATE SERVER AUDIT [adt_mssql]
TO FILE
( FILEPATH = N'D:\audit\mssql' #写入到文件,也可以写入到Application log和security log)
,MAXSIZE = 100 MB
,MAX_ROLLOVER_FILES = 100
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = CONTINUE
)
GO
3). 在数据库上启用审计
USE [master]
GO
ALTER SERVER AUDIT [adt_mssql]
WITH (STATE = ON);
GO
4). 创建数据库级别的审计规则
USE [master]
GO
CREATE SERVER AUDIT SPECIFICATION [sadt_mssql_spec]
FOR SERVER AUDIT [adt_mssql]
ADD (AUDIT_CHANGE_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP),
ADD (SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP),
ADD (FAILED_LOGIN_GROUP),
ADD (FAILED_DATABASE_AUTHENTICATION_GROUP),
ADD (LOGOUT_GROUP),
ADD (DATABASE_LOGOUT_GROUP),
ADD (BROKER_LOGIN_GROUP),
ADD (DATABASE_MIRRORING_LOGIN_GROUP),
ADD (LOGIN_CHANGE_PASSWORD_GROUP),
ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),
ADD (USER_CHANGE_PASSWORD_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SERVER_PERMISSION_CHANGE_GROUP),
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
ADD (BACKUP_RESTORE_GROUP),
ADD (DATABASE_CHANGE_GROUP),
ADD (SERVER_OPERATION_GROUP),
ADD (SERVER_STATE_CHANGE_GROUP),
ADD (SERVER_PRINCIPAL_CHANGE_GROUP)
GO
5). 启用审计规则
USE [master]
GO
ALTER SERVER AUDIT SPECIFICATION [sadt_mssql_spec]
WITH (STATE = ON);
GO
6). 查看审计日志
a). 通过SSMS查看
b). 通过函数查看
select * from sys.fn_get_audit_file('D:\audit\adt_mssql_E4BAB724-B173-47B3-AA2E-15EBDABA1CCB_0_133468214579680000.sqlaudit',default,default)