AUDIT TRONG SQL SERVER 2012

Ngoi nhng tnh nng v Audit c trong cc phin bn trc, SQL Server 2012 cung cp
thm rt nhiu tnh nng mi, trong bao gm mt s ci tin mnh m cho kh nng gim st
(audit) SQL Server.
Phn u ca bi vit ny xin khi qut li tt c nhng tnh nng v audit c trong nhng phin
bn SQL Server trc y, bao gm cc tnh nng:

Trigger
SQL Server Audit

Change Data Capture (CDC)

Change Tracking (CT)

1. Trigger
Trigger l 1 i tng (object) trong database cho php chy th tc lu tr (stored procedure)
no mi khi c 1 thay i xy ra. C 2 loi Trigger:

DDL Trigger: p dng cho nhng thay i lin quan n cu trc ca database, nh:
ALTER DATABASE, CREATE TABLE,
DML Trigger: p dng cho nhng thay i lin quan trc tip n d liu, nh:
UPDATE, INSERT, DELETE.

Trigger c th c s dng vi nhiu mc ch khc nhau, v d nh:

ngn khng cho thay i cu trc ca 1 Table no (DDL Trigger cho ALTER
TABLE)
nh dng li gi tr trc khi chn vo 1 Table no (DML Trigger cho Insert vi
ch Instead hoc After)
log li nhng thay i v mc cu trc hay d liu ca 1 Table (DDL Trigger hoc
DML Trigger)

Cc Trigger c th c ci t log li nhng thay i nhiu ni:

Lu li nhng thay i trong 1 hoc nhiu table, thuc 1 hoc nhiu database khc nhau,
ca 1 hoc nhiu server khc nhau (s dng Linked Server).
S dng Service Broker gi message n nhiu ni khc nhau, nh: file trong server,
event trong Event Viewer, hay email n ngi qun tr.

V d sau y s to 1 Trigger bt tt c cc s kin lin quan n cc cu lnh DDL trong

database Test v lu vo trong table DDL_Log.
USE Test
GO

-- to bng DDL_Log
CREATE TABLE DDL_Log
(
PostTime datetime,
DB_User nvarchar (100),
Event nvarchar (100),
TSQL nvarchar (2000)
)
GO
-- to Trigger
CREATE TRIGGER myDDLTrigger
ON DATABASE
FOR DDL_DATABASE_LEVEL_EVENTS
AS
DECLARE @data XML
SET @data = EVENTDATA()
INSERT DDL_Log (PostTime, DB_User, Event, TSQL)
VALUES
(
GETDATE(),
CONVERT(nvarchar(100), CURRENT_USER),
@data.value('(/EVENT_INSTANCE/EventType)[1]', 'nvarchar(100)'),
@data.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'nvarchar(2000)')
) ;
GO

2. SQL Server Audit

SQL Server Audit c t phin bn SQL Server 2008 Enterprise. Tnh nng ny n gin ho
kh nng gim st t ng (automatic audit) v c th thay th cho vic ci t cc Trigger. SQL
Server Audit c th cu hnh gim st 2 mc (level): instance v database.
Cc thnh phn ca SQL Server Audit:

Audit Object: Trong mi Instance chng ta c th to ra nhiu audit khc nhau. ng vi

mi Audit s phi ch ra 1 audit destination ghi li nhng thng tin c gim st.
Server Audit Specification: quy nh cho 1 Audit c th no 1 tp cc hnh ng
ca Instance cn gim st, v d: CREATE LOGIN, ALTER DATABASE, . Chng ta
c th to 1 server audit specification cho mi SQL Server Audit.

Database Audit Specification: quy nh cho 1 Audit c th no 1 tp cc hnh ng

ca database object cn gim st, v d: CREATE TABLE, ALTER VIEW, . Chng
ta c th to 1 database audit specification cho mi SQL Server Audit.

Target: chnh l Audit destination c ch ra trong mi Audit. Target c th l 1 file, 1

Windows Security event log, hay 1 Windows Application event log.

V d sau y s to 1 Audit log li thng tin mi khi c 1 connection no login b fail (do
nhiu nguyn nhn khc nhau: khng ng username, sai password, ) v lu nhng thng tin
trong Windows Application log.

USE master ;
GO
--To Audit
CREATE SERVER AUDIT mySQLServerAudit TO APPLICATION_LOG WITH ( QUEUE_DELAY =
1000, ON_FAILURE = CONTINUE);
GO
--To Server Audit Specification v gn cho Audit
CREATE SERVER AUDIT SPECIFICATION FailedLoginServerAuditSpecification FOR
SERVER AUDIT mySQLServerAudit ADD (FAILED_LOGIN_GROUP);
--Enable audit
ALTER SERVER AUDIT mySQLServerAudit WITH (STATE = ON);
GO

3. Change Data Capture (CDC)

Microsoft bt u cung cp tnh nng CDC t phin bn SQL Server 2008 n gin ho v c
th thay th cho vic ci t cc DML Trigger trong vic lu li du vt ca nhng d liu b
thay i.
Sau khi bt v cu hnh tnh nng, CDC s ghi li tt c cc thay i (bao gm Insert, Update,
Delete) v d liu trn 1 table v lu tr nhng thay i trong cc System table.
CDC c th lu li 1 s thng tin nh sau:

Update mask: ch ra lnh DML tc ng ln d liu, trong : 1 = Delete, 2 = Insert, 3 =

Before Update, 4 = After Update
Cc d liu b thay i

Thi im d liu b thay i

Da vo nhng thng tin trn, ngi qun tr c th d dng kim tra, theo di nhng thay i
ny thng qua cc Stored Procedure hoc xem trc tip cc system table do CDC to ra.
V d sau y s bt tnh nng CDC cho table Test v xem nhng thay i thng qua vic truy
vn stored procedure hay system table.
--bt tnh nng CDC cho database
EXEC sys.sp_cdc_enable_db
GO
--bt tnh nng CDC cho table Test
EXEC sys.sp_cdc_enable_table N'dbo', N'Test',DEFAULT,DEFAULT, 1
GO
/* thc hin 1 s lnh Insert, Update, Delete */
-- xem thng tin bng cch truy vn stored procedure

SELECT * FROM cdc.fn_cdc_get_all_changes_dbo_TestTable

(sys.fn_cdc_get_min_lsn('dbo_Test'), sys.fn_cdc_get_max_lsn(),N'all')
--xem thng tin trc tip t system table
SELECT * FROM cdc.dbo_Test_CT

4. Change Tracking (CT)

Change Tracking cho php cc ng dng theo di c nhng thay i trong cc table
ca ng dng . im khc bit ca CT so vi CDC l CT khng lu li cc d liu hin hnh
mi khi c thay i m ch lu li 1 s thng tin c bn nh Primary key ca dng d liu c
thay i, s ln thay i ca dng d liu ,
Phi enable tnh nng Change Tracking cho tng table m bn mun theo di
-- bt tnh nng Change Tracking cho database
ALTER DATABASE AdventureWorks2012
SET CHANGE_TRACKING = ON
(CHANGE_RETENTION = 2 DAYS, AUTO_CLEANUP = ON);
--bt tnh nng Change Tracking cho table
ALTER TABLE Test
ENABLE CHANGE_TRACKING
WITH (TRACK_COLUMNS_UPDATED = ON);

Sau khi bt Change Tracking, chng ta c th s dng 1 s view hoc function xem thng tin:
--lit k cc database trong instance c bt tnh nng Change Tracking
SELECT * FROM sys.change_tracking_databases
--lit k cc table trong database hin ti c bt tnh nng Change Tracking
SELECT * FROM sys.change_tracking_tables
/*lit k tt c cc dng d liu trong table Test ( bt
Tracking) cng vi cc thng tin v version tung ng */
SELECT t.*, ct.*
FROM Test t CROSS APPLY
CHANGETABLE ( VERSION Test, (id), t.id ) AS ct;

tnh nng Change

Vi nhng tnh nng trn, ngi qun tr c kh nng gim st 1 cch chi tit nhng thay
i v cu trc cng nh v d liu trong cc database ca mnh .

Vy trong SQL Server 2012, s c thm nhng ci tin g trong vic Audit ni chung hay SQL
Server Audit ni ring? Cu hi ny c rt nhiu ngi qun tr database quan tm v s c
lm r thng qua cc tnh nng c cp trong Phn 2 ny, bao gm:

Kh nng to User-defined Audit

Kh nng lc Audit (Audit Filtering)

H tr t ng khi phc log (Audit resilience)

Thm vo , thay v ch c cung cp trong bn Enterprise nh phin bn SQL Server 2008

th nay SQL Server Audit c tch hp trong tt c cc bn edition ca SQL Server 2012
vi tc c ci thin 1 cch ng k cng nhiu tnh nng hn.

1. User-Defined Audit
User-Defined Audit cho php cc ng dng t tu bin, to ra cc s kin ca ring mnh v ghi
thng tin audit log 1 cch linh hot hn, v d nh: ghi vo audit log tn ca cc user ng nhp
vo application thay cho tn login chung c khai bo trong connection string ng dng kt
ni n database.
Chng ta c th add thm cc s kin (audit event) nh vy bng vic s dng th tc (stored
procedure) sp_audit_write. Khi tt c cc s kin s c lu trong group
USER_DEFINED_AUDIT_GROUP. Lu rng s dng c, trc
USER_DEFINED_AUDIT_GROUP phi c enable.
V d sau s ghi vo audit log 1 s kin vi id = 141 cng 1 s thng tin tu thch.
EXEC sp_audit_write
@user_defined_event_id = 141,
@succeeded = 0,
@user_defined_information = N'My information' ;

Mt s ct mi (column) c thm vo sys.server_audits, sys.server_file_audits,

v sys.fn_get_audit_file theo di cc user-defined audit event..

2. Audit Filtering
Trc y, tht khng d dng ch lc (theo 1 iu kin c th no ) nhng s kin m
ngi qun tr ang quan tm. iu ny c khc phc trong phin bn SQL Server 2012
vi tnh nng Audit Filtering.
Gi y, SQL Server Audit h tr kh nng lc nhng s kin cn audit trc khi chng c
ghi vo audit log thng qua mnh WHERE trong cu lnh CREATE SERVER
AUDIT v ALTER SERVER AUDIT.

2.1. CREATE SERVER AUDIT (Transact-SQL)

http://msdn.microsoft.com/en-us/library/cc280448%28v=sql.110%29.aspx
Syntax
CREATE SERVER AUDIT audit_name
{
TO { [ FILE (<file_options> [ , ...n ] ) ] | APPLICATION_LOG |
SECURITY_LOG }

[ WITH ( <audit_options> [ , ...n ] ) ]

[ WHERE <predicate_expression> ]
}
[ ; ]
<file_options>::=
{
FILEPATH = 'os_file_path'
[ , MAXSIZE = { max_size { MB | GB | TB } | UNLIMITED } ]
[ , { MAX_ROLLOVER_FILES = { integer | UNLIMITED } } | { MAX_FILES
= integer } ]
[ , RESERVE_DISK_SPACE = { ON | OFF } ]
}
<audit_options>::=
{
[
QUEUE_DELAY = integer ]
[ , ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION } ]
[ , AUDIT_GUID = uniqueidentifier ]
}
<predicate_expression>::=
{
[NOT ] <predicate_factor>
[ { AND | OR } [NOT ] { <predicate_factor> } ]
[,...n ]
}
<predicate_factor>::=
event_field_name { = | < > | ! = | > | > = | < | < = } { number |
' string ' }

Arguments
TO { FILE | APPLICATION_LOG | SECURITY_LOG }
Determines the location of the audit target. The options are a binary file, The Windows
Application log, or the Windows Security log. SQL Server cannot write to the Windows Security
log without configuring additional settings in Windows. For more information, see Write SQL
Server Audit Events to the Security Log.
FILEPATH ='os_file_path'
The path of the audit log. The file name is generated based on the audit name and audit GUID.
MAXSIZE = { max_size }
Specifies the maximum size to which the audit file can grow. The max_size value must be an
integer followed by MB, GB, TB, or UNLIMITED. The minimum size that you can specify for
max_size is 2 MB and the maximum is 2,147,483,647 TB. When UNLIMITED is specified, the

file grows until the disk is full. Specifying a value lower than 2 MB will raise the error
MSG_MAXSIZE_TOO_SMALL. The default value is UNLIMITED.
MAX_ROLLOVER_FILES ={ integer | UNLIMITED }
Specifies the maximum number of files to retain in the file system in addition to the current file.
The MAX_ROLLOVER_FILES value must be an integer or UNLIMITED. The default value is
UNLIMITED. This parameter is evaluated whenever the audit restarts (which can happen when
the instance of the Database Engine restarts or when the audit is turned off and then on again) or
when a new file is needed because the MAXSIZE has been reached. When
MAX_ROLLOVER_FILES is evaluated, if the number of files exceeds the
MAX_ROLLOVER_FILES setting, the oldest file is deleted. As a result, when the setting of
MAX_ROLLOVER_FILES is 0 a new file is created each time the
MAX_ROLLOVER_FILES setting is evaluated. Only one file is automatically deleted when
MAX_ROLLOVER_FILES setting is evaluated, so when the value of
MAX_ROLLOVER_FILES is decreased, the number of files will not shrink unless old files are
manually deleted. The maximum number of files that can be specified is 2,147,483,647.
MAX_FILES =integer
Specifies the maximum number of audit files that can be created. Does not rollover to the first file
when the limit is reached. When the MAX_FILES limit is reached, any action that causes
additional audit events to be generated will fail with an error.
RESERVE_DISK_SPACE = { ON | OFF }
This option pre-allocates the file on the disk to the MAXSIZE value. It applies only if MAXSIZE
is not equal to UNLIMITED. The default value is OFF.
QUEUE_DELAY =integer
Determines the time, in milliseconds, that can elapse before audit actions are forced to be
processed. A value of 0 indicates synchronous delivery. The minimum settable query delay value
is 1000 (1 second), which is the default. The maximum is 2,147,483,647 (2,147,483.647 seconds
or 24 days, 20 hours, 31 minutes, 23.647 seconds). Specifying an invalid number will raise the
error MSG_INVALID_QUEUE_DELAY.
ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION }
Indicates whether the instance writing to the target should fail, continue, or stop SQL Server if the
target cannot write to the audit log. The default value is CONTINUE.
CONTINUE
SQL Server operations continue. Audit records are not retained. The audit continues to attempt to
log events and will resume if the failure condition is resolved. Selecting the continue option can
allow unaudited activity which could violate your security policies. Use this option, when
continuing operation of the Database Engine is more important than maintaining a complete
audit.
SHUTDOWN

Forces a server shut down when the server instance writing to the target cannot write data to the
audit target. The login issuing this must have the SHUTDOWN permission. If the logon does not
have this permission, this function will fail and an error message will be raised. No audited events
occur. Use the option when an audit failure could compromise the security or integrity of the
system.
FAIL_OPERATION
Database actions fail if they cause audited events. Actions which do not cause audited events can
continue, but no audited events can occur. The audit continues to attempt to log events and will
resume if the failure condition is resolved. Use this option when maintaining a complete audit is
more important than full access to the Database Engine.
AUDIT_GUID =uniqueidentifier
To support scenarios such as database mirroring, an audit needs a specific GUID that matches the
GUID found in the mirrored database. The GUID cannot be modified after the audit has been
created.
predicate_expression
Specifies the predicate expression used to determine if an event should be processed or not.
Predicate expressions are limited to 3000 characters, which limits string arguments.
event_field_name
Is the name of the event field that identifies the predicate source. Audit fields are described in
sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and
audit_file_offset.
number
Is any numeric type including decimal. Limitations are the lack of available physical memory or a
number that is too large to be represented as a 64-bit integer.
' string '
Either an ANSI or Unicode string as required by the predicate compare. No implicit string type
conversion is performed for the predicate compare functions. Passing the wrong type results in an
error.

Examples

A. Creating a server audit with a file target

The following example creates a server audit called HIPPA_Audit with a binary file as the target and no
options.
CREATE SERVER AUDIT HIPAA_Audit
TO FILE ( FILEPATH ='\\SQLPROD_1\Audit\' );

B. Creating a server audit with a Windows Application log target with options
The following example creates a server audit called HIPPA_Audit with the target set for the Windows
Application log. The queue is written every second and shuts down the SQL Server engine on failure.
CREATE SERVER AUDIT HIPAA_Audit
TO APPLICATION_LOG
WITH ( QUEUE_DELAY = 1000, ON_FAILURE = SHUTDOWN);

C. Creating a server audit containing a WHERE clause

The following example creates a database, schema, and two tables for the example. The table named
DataSchema.SensitiveData will contain confidential data and access to the table must be recorded in the
audit. The table named DataSchema.GeneralData does not contain confidential data. The database audit
specification audits access to all objects in the DataSchema schema. The server audit is created with a
WHERE clause that limits the server audit to only the SensitiveData table. The server audit presumes a
audit folder exists at C:\SQLAudit.
Transact-SQL
CREATE DATABASE TestDB;
GO
USE TestDB;
GO
CREATE SCHEMA DataSchema;
GO
CREATE TABLE DataSchema.GeneralData (ID int PRIMARY KEY, DataField varchar(50)
NOT NULL);
GO
CREATE TABLE DataSchema.SensitiveData (ID int PRIMARY KEY, DataField varchar(50)
NOT NULL);
GO
-- Create the server audit in the master database
USE master;
GO
CREATE SERVER AUDIT AuditDataAccess
TO FILE ( FILEPATH ='C:\SQLAudit\' )
WHERE object_name = 'SensitiveData' ;
GO
ALTER SERVER AUDIT AuditDataAccess WITH (STATE = ON);
GO
-- Create the database audit specification in the TestDB database
USE TestDB;
GO
CREATE DATABASE AUDIT SPECIFICATION [FilterForSensitiveData]
FOR SERVER AUDIT [AuditDataAccess]
ADD (SELECT ON SCHEMA::[DataSchema] BY [public])
WITH (STATE = ON);
GO
-- Trigger the audit event by selecting from tables
SELECT ID, DataField FROM DataSchema.GeneralData;
SELECT ID, DataField FROM DataSchema.SensitiveData;
GO
-- Check the audit for the filtered content
SELECT * FROM
fn_get_audit_file('C:\SQLAudit\AuditDataAccess_*.sqlaudit',default,default);
GO

2.2. ALTER SERVER AUDIT (Transact-SQL)

http://msdn.microsoft.com/en-us/library/cc280563%28v=sql.110%29.aspx
Syntax
ALTER SERVER AUDIT audit_name
{
[ TO { { FILE ( <file_options> [, ...n] ) } | APPLICATION_LOG |
SECURITY_LOG } ]
[ WITH ( <audit_options> [ , ...n] ) ]
[ WHERE <predicate_expression> ]
}
| REMOVE WHERE
| MODIFY NAME = new_audit_name
[ ; ]
<file_options>::=
{
FILEPATH = 'os_file_path'
| MAXSIZE = { max_size { MB | GB | TB } | UNLIMITED }
| MAX_ROLLOVER_FILES = { integer | UNLIMITED }
| MAX_FILES = integer
| RESERVE_DISK_SPACE = { ON | OFF }
}
<audit_options>::=
{
QUEUE_DELAY = integer
| ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION }
| STATE = = { ON | OFF }
}
<predicate_expression>::=
{
[NOT ] <predicate_factor>
[ { AND | OR } [NOT ] { <predicate_factor> } ]
[,...n ]
}
<predicate_factor>::=
event_field_name { = | < > | ! = | > | > = | < | < = } { number |
' string ' }

Arguments
TO { FILE | APPLICATION_LOG | SECURITY }
Determines the location of the audit target. The options are a binary file, the Windows application log, or
the Windows security log.
FILEPATH = 'os_file_path'

The path of the audit trail. The file name is generated based on the audit name and audit GUID.
MAXSIZE =max_size
Specifies the maximum size to which the audit file can grow. The max_size value must be an integer
followed by MB, GB, TB, or UNLIMITED. The minimum size that you can specify for max_size is 2 MB
and the maximum is 2,147,483,647 TB. When UNLIMITED is specified the file grows until the disk is
full. Specifying a value lower than 2 MB will raise the error MSG_MAXSIZE_TOO_SMALL. The default
value is UNLIMITED.
MAX_ROLLOVER_FILES =integer | UNLIMITED
Specifies the maximum number of files to retain in the file system. When the setting of
MAX_ROLLOVER_FILES=0 there is no limit imposed on the number of rollover files that will be
created. The default value is 0. The maximum number of files that can be specified is 2,147,483,647.
MAX_FILES =integer
Specifies the maximum number of audit files that can be created. Does not rollover to the first file when the
limit is reached. When the MAX_FILES limit is reached, any action that causes additional audit events to
be generated will fail with an error.
RESERVE_DISK_SPACE = { ON | OFF }
This option pre-allocates the file on the disk to the MAXSIZE value. Only applies if MAXSIZE is not
equal to UNLIMITED. The default value is OFF.
QUEUE_DELAY =integer
Determines the time in milliseconds that can elapse before audit actions are forced to be processed. A value
of 0 indicates synchronous delivery. The minimum settable query delay value is 1000 (1 second), which is
the default. The maximum is 2,147,483,647 (2,147,483.647 seconds or 24 days, 20 hours, 31 minutes,
23.647 seconds). Specifying an invalid number will raise the error MSG_INVALID_QUEUE_DELAY.
ON_FAILURE = { CONTINUE | SHUTDOWN | FAIL_OPERATION}
Indicates whether the instance writing to the target should fail, continue, or stop if SQL Server cannot write
to the audit log.
CONTINUE
SQL Server operations continue. Audit records are not retained. The audit continues to attempt to log
events and will resume if the failure condition is resolved. Selecting the continue option can allow
unaudited activity which could violate your security policies. Use this option, when continuing operation of
the Database Engine is more important than maintaining a complete audit.
SHUTDOWN
Forces a server shut down when the server instance writing to the target cannot write data to the audit
target. The login issuing this must have the SHUTDOWN permission. If the logon does not have this
permission, this function will fail and an error message will be raised. No audited events occur. Use the
option when an audit failure could compromise the security or integrity of the system.
FAIL_OPERATION

Database actions fail if they cause audited events. Actions which do not cause audited events can continue,
but no audited events can occur. The audit continues to attempt to log events and will resume if the failure
condition is resolved. Use this option when maintaining a complete audit is more important than full access
to the Database Engine.
STATE = { ON | OFF }
Enables or disables the audit from collecting records. Changing the state of a running audit (from ON to
OFF) creates an audit entry that the audit was stopped, the principal that stopped the audit, and the time the
audit was stopped.
MODIFY NAME = new_audit_name
Changes the name of the audit. Cannot be used with any other option.
predicate_expression
Specifies the predicate expression used to determine if an event should be processed or not. Predicate
expressions are limited to 3000 characters, which limits string arguments.
event_field_name
Is the name of the event field that identifies the predicate source. Audit fields are described in
sys.fn_get_audit_file (Transact-SQL). All fields can be audited except file_name and audit_file_offset.
number
Is any numeric type including decimal. Limitations are the lack of available physical memory or a number
that is too large to be represented as a 64-bit integer.
' string '
Either an ANSI or Unicode string as required by the predicate compare. No implicit string type conversion
is performed for the predicate compare functions. Passing the wrong type results in an error.

Examples

A. Changing a server audit name

The following example changes the name of the server audit HIPPA_Audit to HIPAA_Audit_Old.
USE master
GO
ALTER SERVER AUDIT HIPAA_Audit
WITH (STATE = OFF);
GO
ALTER SERVER AUDIT HIPAA_Audit
MODIFY NAME = HIPAA_Audit_Old;
GO
ALTER SERVER AUDIT HIPAA_Audit_Old
WITH (STATE = ON);
GO

B. Changing a server audit target

The following example changes the server audit called HIPPA_Audit to a file target.
USE master
GO
ALTER SERVER AUDIT HIPAA_Audit
WITH (STATE = OFF);
GO
ALTER SERVER AUDIT HIPAA_Audit
TO FILE (FILEPATH ='\\SQLPROD_1\Audit\',
MAXSIZE = 1000 MB,
RESERVE_DISK_SPACE=OFF)
WITH (QUEUE_DELAY = 1000,
ON_FAILURE = CONTINUE);
GO
ALTER SERVER AUDIT HIPAA_Audit
WITH (STATE = ON);
GO

C. Changing a server audit WHERE clause

The following example modifies the where clause created in example C of CREATE SERVER AUDIT
(Transact-SQL). The new WHERE clause filters for the user defined event if of 27.
Transact-SQL
ALTER
GO
ALTER
WHERE
GO
ALTER
GO

SERVER AUDIT [FilterForSensitiveData] WITH (STATE = OFF)

SERVER AUDIT [FilterForSensitiveData]
user_defined_event_id = 27;
SERVER AUDIT [FilterForSensitiveData] WITH (STATE = ON);

D. Removing a WHERE clause

The following example removes a WHERE clause predicate expression.
Transact-SQL
ALTER SERVER AUDIT [FilterForSensitiveData] WITH (STATE = OFF)
GO
ALTER SERVER AUDIT [FilterForSensitiveData]
REMOVE WHERE;
GO
ALTER SERVER AUDIT [FilterForSensitiveData] WITH (STATE = ON);
GO

E. Renaming a server audit

The following example changes the server audit name from FilterForSensitiveData to AuditDataAccess.
Transact-SQL
ALTER SERVER AUDIT [FilterForSensitiveData] WITH (STATE = OFF)
GO

ALTER SERVER AUDIT [FilterForSensitiveData]

MODIFY NAME = AuditDataAccess;
GO
ALTER SERVER AUDIT [AuditDataAccess] WITH (STATE = ON);
GO

V d sau s to 1 Server Audit ch lu vo audit log nhng s kin c id = 141

CREATE SERVER AUDIT [MyFilteredAuditEvent]
WHERE user_defined_event_id = 141;
GO

3. Audit Resilience
Audit Resilience cung cp kh nng tu bin s phn hi ca SQL Server cng nh gim thiu
mt d liu audit khi vic ghi audit log b li do nhiu nguyn nhn khc nhau nh li ghi d
liu, li mng,
C 2 option mi h tr tnh nng ny v s c cu hnh mi khi to 1 Audit:

On Audit Log Failure: s c 3 la chn khc nhau quy nh phn ng ca SQL Server
khi khng th ghi Audit log: Continue, Shutdown Server, hoc Fail operation. Tnh nng
mi h tr ny rt quan trng v phin bn trc ch c 1 la chn duy nht l
shutdown server hay khng m thi.
Maximum Rollover Files: Trc y ch c 2 la chn quy nh s file log c
dng lu audit log: khng gii hn s lng log file hoc gii hn s lung log file.
Trong trng hp c gii hn, khi s lng log file chm ngng ti a, file log c nht
s t ng xo i c th ghi thm file log mi hn (gi l roll-over). SQL Server 2012
cung cp thm 1 la chn na cho php gi li 1 s lng file log c nh m khng b
mt thng tin audit v hin tng roll-over.

Trn y l 1 s ci tin trong SQL Server 2012 nhm cung cp kh nng Audit d liu 1 cch
linh hot v hu ch cho nhng ngi qun tr.