Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Auditing Events in SQL Server 2005 Jasper Smith SQL Server MVP
  2. 2. Agenda <ul><li>Trace Enhancements </li></ul><ul><li>DDL Triggers </li></ul><ul><li>Event Notifications </li></ul>
  3. 3. Trace Enhancements
  4. 4. Default Trace <ul><li>On by default (controlled by sp_configure 'default trace enabled‘) </li></ul><ul><li>Stored in the same folder as the SQL Server Error Log </li></ul><ul><li>Location can be changed by modifying the –e start up parameter using the SQL Server Configuration Manager </li></ul><ul><li>Captures mainly audit type trace events </li></ul>
  5. 5. Reading a running trace <ul><li>The system function fn_trace_gettable has been enhanced to allow the reading of running server side traces e.g. </li></ul><ul><li>select * from :: fn_trace_gettable </li></ul><ul><li>('C:Program FilesMicrosoft SQL ServerMSSQL.1 MSSQLLOGlog_15.trc',-1) </li></ul><ul><li>order by StartTime desc </li></ul>
  6. 6. SMO Trace API <ul><li>In the Microsoft.SqlServer.Management.Trace namespace </li></ul><ul><li>Can read and write Trace Files and Trace Tables </li></ul><ul><li>Trace sources include SQL Server, Analysis Services and SSIS log tables. </li></ul><ul><li>Can be used to manipulate trace data programmatically </li></ul>
  7. 7. Trace Demo
  8. 8. DDL Triggers
  9. 9. SQL 2005 Trigger Types <ul><li>Instead Of Triggers ( DML ) </li></ul><ul><li>After Triggers ( DML ) </li></ul><ul><li>DDL Triggers </li></ul><ul><li>React to DDL </li></ul><ul><li>CREATE , ALTER , DROP </li></ul>
  10. 10. DDL Trigger Syntax <ul><li>CREATE TRIGGER trigger_name </li></ul><ul><li>ON { ALL SERVER | DATABASE } </li></ul><ul><li>[ WITH <ddl_trigger_option> ] </li></ul><ul><li>{ FOR | AFTER } { event_type | event_group } </li></ul><ul><li>AS { sql_statement [ ...n ] </li></ul><ul><li>| EXTERNAL NAME < method specifier > } </li></ul>
  11. 11. DDL Trigger Scope <ul><li>DATABASE </li></ul><ul><li>Applies the scope of a DDL trigger to the current database. If specified, the trigger fires whenever event_type or event_group happens in the current database </li></ul><ul><li>ALL SERVER </li></ul><ul><li>Applies the scope of a DDL trigger to the current server. If specified, the trigger fires whenever the server level event_type or event_group happens anywhere in the current server </li></ul>
  12. 12. Event Groups <ul><li>DDL_DATABASE_LEVEL_EVENTS </li></ul><ul><li>DDL_TABLE_VIEW_EVENTS </li></ul><ul><li>DDL_TABLE_EVENTS ( CREATE_TABLE,ALTER_TABLE,DROP_TABLE ) </li></ul><ul><li>DDL_VIEW_EVENTS </li></ul><ul><li>( CREATE_VIEW,ALTER_VIEW,DROP_VIEW ) </li></ul><ul><li>DDL_INDEX_EVENTS </li></ul><ul><li>( CREATE_INDEX,ALTER_INDEX,DROP_INDEX ) </li></ul><ul><li>DDL_STATISTICS_EVENTS </li></ul><ul><li>( CREATE_STATISTICS,ALTER_STATISTICS,DROP_STATISTICS ) </li></ul>
  13. 13. eventdata() Function <ul><li>eventdata() returns a value of type xml </li></ul><ul><li>The base XML schema returned by the eventdata() function depends on the scope and event type </li></ul>TSQL CREATE TRIGGER DDL_TEST ON DATABASE FOR CREATE_TABLE AS PRINT CONVERT(nvarchar(max), eventdata() ))
  14. 14. eventdata() output <ul><li><EVENT_INSTANCE> </li></ul><ul><ul><li><PostTime> 2004-05-26T21:10:36.393 </PostTime> </li></ul></ul><ul><ul><li><SPID> 55 </SPID> </li></ul></ul><ul><ul><li><EventType> CREATE_TABLE </EventType> </li></ul></ul><ul><ul><li><ServerName> WIN2003 </ServerName> </li></ul></ul><ul><ul><li><LoginName> foo </LoginName> </li></ul></ul><ul><ul><li><UserName> foo </UserName> </li></ul></ul><ul><ul><li><DatabaseName> test </DatabaseName> </li></ul></ul><ul><ul><li><SchemaName> dbo </SchemaName> </li></ul></ul><ul><ul><li><ObjectName> table1 </ObjectName> </li></ul></ul><ul><ul><li><ObjectType> TABLE </ObjectType> </li></ul></ul><ul><li><TSQLCommand> </li></ul><ul><li><SetOptions ANSI_NULLS=&quot;ON&quot; AN..... /> </li></ul><ul><li><CommandText> create table foo(bar int) </CommandText> </li></ul><ul><li></TSQLCommand> </li></ul><ul><li></EVENT_INSTANCE> </li></ul>
  15. 15. Rollbacks and DDL Triggers <ul><li>If a DDL action is rolled back, so is the logging of the event in an audit table BEGIN TRAN </li></ul><ul><ul><li>CREATE TABLE TEST(a int) </li></ul></ul><ul><ul><li>ROLLBACK TRAN </li></ul></ul><ul><li>Within a DDL trigger you can rollback the DDL that caused it to fire CREATE TRIGGER DDLDEMO_ROLBACK ON DATABASE FOR CREATE_TABLE AS PRINT 'Create Table is not allowed‘ ROLLBACK </li></ul>
  16. 16. DDL Trigger Demo
  17. 17. Event Notifications
  18. 18. Event Notifications <ul><li>Objects that sends messages about a database or server event to a service broker service </li></ul><ul><li>To create an event notification, you must complete the following steps: </li></ul><ul><ul><li>Create a target service to receive event notifications. </li></ul></ul><ul><ul><li>Create the event notification. </li></ul></ul>
  19. 19. Service Broker <ul><li>Service Broker provides queuing and reliable messaging as part of the Database Engine </li></ul><ul><li>Event Notification Service is built in to all databases </li></ul>
  20. 20. Event Notification Syntax <ul><li>CREATE EVENT NOTIFICATION name </li></ul><ul><li>ON { SERVER | DATABASE | QUEUE } </li></ul><ul><li>[ WITH FAN_IN ] </li></ul><ul><li>FOR { event_type | event_group } [ ,...n ] </li></ul><ul><li>TO SERVICE broker_service </li></ul><ul><li>{ 'broker_instance_specifier' | 'current database' } </li></ul>
  21. 21. Trace Events <ul><li>In addition to the DDL events available in DDL Triggers, Event Notifications also allow a subset of Trace events to be captured </li></ul><ul><ul><li>Audit_Login </li></ul></ul><ul><ul><li>Audit_Login_Failed </li></ul></ul><ul><ul><li>Lock_Deadlock </li></ul></ul><ul><ul><li>Data_File_Auto_Grow </li></ul></ul><ul><ul><li>Blocked_Process_Report </li></ul></ul>
  22. 22. Creating Event Notifications <ul><li>Create a QUEUE </li></ul><ul><li>Create a SERVICE on a QUEUE </li></ul><ul><li>Create a ROUTE for the SERVICE </li></ul><ul><li>Create an EVENT NOTIFICATION to a SERVICE </li></ul><ul><li>Create a SERVICE PROGRAM to process notification events in the QUEUE </li></ul>
  23. 23. Event Notifications Demo
  24. 24. WMI Integration <ul><li>WMI Provider for Server Events ( SQLWEP ) </li></ul><ul><li>SQL 2005 is a managed WMI object </li></ul><ul><li>Consume events based on an Event Notification Query </li></ul><ul><li>WMI Query Language ( WQL ) – simplified form of SQL with WMI specific extensions </li></ul><ul><li>Easily accessible via the System.Management namespace in the .NET Framework </li></ul>
  25. 25. WQL Examples <ul><li>SELECT * FROM DDL_DATABASE_LEVEL_EVENTS </li></ul><ul><li>WHERE DatabaseName = 'AdventureWorks‘ </li></ul><ul><li>SELECT * FROM ALTER_TABLE </li></ul><ul><li>WHERE DatabaseName = &quot;AdventureWorks&quot; </li></ul><ul><li>AND SchemaName = &quot;Sales&quot; </li></ul><ul><li>AND ObjectType=&quot;Table&quot; </li></ul><ul><li>AND ObjectName = &quot;SalesOrderDetail&quot; </li></ul><ul><li>SELECT * FROM DEADLOCK_GRAPH </li></ul>
  26. 26. <ul><li>SQL Agent alerts can react to WMI events </li></ul><ul><li>NOT limited to SQL Server Events </li></ul>WMI and SQL Agent
  27. 27. WMI Events Demo
  28. 28. Server Trace Summary <ul><li>Lowest overhead </li></ul><ul><li>If using standard trace files there can be an increased administration overhead </li></ul><ul><li>Need to recreate trace after server restart </li></ul><ul><li>Limited notification ability </li></ul>
  29. 29. DDL Triggers Summary <ul><li>DDL Triggers are synchronous </li></ul><ul><li>DDL Triggers are tightly coupled to the event that caused them to fire </li></ul><ul><li>DDL Triggers can respond only to DDL events </li></ul><ul><li>DDL Triggers can issue a rollback </li></ul>
  30. 30. Event Notifications Summary <ul><li>Event Notifications are asynchronous </li></ul><ul><li>Target local or remote service </li></ul><ul><li>React to DDL and subset of Trace events </li></ul><ul><li>Integrate with WMI and SQL Agent alerts </li></ul><ul><li>Some additional processing overhead </li></ul>
  31. 31. Questions ? <ul><li>Slides will be available soon on </li></ul><ul><li> and </li></ul><ul><li>Email [email_address] </li></ul>
  32. 32. Thank You! <ul><li>Thank you for attending this session and the </li></ul><ul><li>2005 PASS Community Summit in Grapevine! </li></ul><ul><li>Please help us improve the quality of our conference by completing your session evaluation form. Completed evaluation forms may be given to the room monitor as you exit or to staff at the registration desk. </li></ul>