SQL Server 審計系列:
審計對象,可以通過動態管理視圖和函數來查看
一,查看服務器審計對象
查看審計服務器審計對象的信息,這是審計對象的元數據:
select a.audit_id ,a.audit_guid ,a.name ,a.create_date ,a.modify_date ,a.principal_id as owner_prinicpal_id ,a.type ,a.type_desc ,a.on_failure ,a.on_failure_desc ,a.is_state_enabled ,a.queue_delay ,a.predicate from sys.server_audits a
查看審計對象的當前狀態,以及跟審計對象相關聯的Extended Events session
select s.audit_id ,s.name ,s.status ,s.status_desc ,s.status_time ,s.audit_file_path ,s.audit_file_size ,s.event_session_address ,e.name as xe_session_name ,e.pending_buffers ,e.total_regular_buffers ,e.regular_buffer_size ,e.large_buffer_size ,e.total_buffer_size ,e.buffer_policy_flags ,e.buffer_policy_desc ,e.flags ,e.flag_desc ,e.dropped_event_count ,e.dropped_buffer_count ,e.blocked_event_fire_time ,e.create_time ,e.largest_event_dropped_size from sys.dm_server_audit_status s inner join sys.dm_xe_sessions as e on s.event_session_address=e.address
二,審計規范
審計規范分為服務器級別的審計規范和數據庫級別的審計規范,以下腳本用於查看數據庫級別的審計規范:
select s.audit_guid ,s.name as audit_specification ,s.create_date ,s.modify_date ,s.is_state_enabled ,d.audit_action_id ,d.audit_action_name ,d.class ,d.class_desc ,d.major_id ,d.minor_id ,d.audited_principal_id ,d.audited_result ,d.is_group from sys.database_audit_specifications s inner join sys.database_audit_specification_details as d on s.database_specification_id=d.database_specification_id
三,審計動作
審計動作實際上是可被審計的事件被觸發,審計動作是創建審計需要監控的對象:
select a.action_id ,a.action_in_log ,a.name as action_name ,m.class_type ,a.class_desc ,m.securable_class_desc ,a.parent_class_desc ,a.covering_action_name ,a.configuration_level ,a.containing_group_name from sys.dm_audit_actions a inner join sys.dm_audit_class_type_map m on a.class_desc=m.class_type_desc
四,審計數據
審計數據是我們創建審計的目的,通過審計數據追蹤系統發生的事件,並把跟事件相關的信息記錄下來。
審計數據是通過函數 fn_get_audit_file()獲得的,返回的字段主要有以下兩類,第一類是跟數據庫的環境相關:
- application_name:客戶端應用程序的名稱,該程序執行SQL語句觸發了審計事件
- server_instance_name:審計發生的SQL Server實例名稱
- database_name:審計動作發生的數據庫
- database_principal_id 和 database_principal_name:執行審計動作的用戶
- server_principal_id和server_principal_name:主席那個審計作用的Login
- server_principal_sid:login的sid
- session_id:審計動作發生的session
- session_server_principal_name:審計動作發生的session的login
第二類是事件和事件關聯的數據:
- action_id:審計動作ID
- event_time:審計動作(Audit Action)觸發的時間
- class_type:審計作用的對象的類型
- schema_name:審計作用的對象的schema名稱
- object_id和object_name:審計作用的對象的ID和名稱
- statement:執行的SQL 語句
- succeeded:指示審計動作是否執行成功
- sequence_group_id和sequence_number:如果單個審計記錄(audit record)的size太大,那么會把該審計分為一組,通過sequence_number來標記順序
可以通過以下腳本來查看審計追蹤的數據:
select f.event_time ,f.sequence_group_id ,f.sequence_number ,f.action_id ,a.name as action_name ,f.succeeded ,f.server_principal_name ,f.database_principal_name ,f.database_name ,f.object_id ,f.schema_name ,f.object_name ,f.class_type ,m.class_type_desc ,f.statement ,f.session_id ,f.application_name from sys.fn_get_audit_file('G:\AuditFiles\MonitorQuery\*',default,default) f inner join sys.dm_audit_actions a on f.action_id=a.action_id inner join sys.dm_audit_class_type_map m on f.class_type=m.class_type order by f.event_time
參考文檔:
SQL Server Audit (Database Engine)