AUDITING

The SQL Server Audit feature:

Auditing an instance of SQL Server or a SQL Server database involves tracking and
logging events that occur on the system. You can use several methods of auditing
for SQL Server, as described in Auditing (Database Engine). Beginning in SQL
Server 2008 Enterprise, you can also set up automatic auditing by using SQL Server
Audit.
The feature audits events on two levels the server- level and database
level. Each audit level is configured independently, which provides flexibility and
fine-grained auditing
The overhead of the feature is lighter than of auditing using SQL traces, but the
overall impact depends on how busy the database is and how many events you
want to audit
An audit is the combination of several elements into a single package for a
specific group of server actions or database actions. The components of SQL Server
audit combine to produce an output that is called an audit [1]
The audit information can be saved in a binary file, Windows event log, or SQL
Server event log. The output file is also called a target. As the events pile up, the
target files can grow large, so its recommended to regularly review and archive
them. To prevent audit information leak, make sure that access to these files is
granted only to privileged users

Configuration:
1.Server-level:
The first step is to create a new audit by right-clicking on the Audit folder inside of
the Security folder found in SSMS.
1. Go to securityaudit

You need to input a file path in order to proceed. You can also set parameters for
the file size and reserve disk space for the files. However, you cannot reserve disk
space if your file size is set to unlimited.
After you click OK, you will have created a server audit. At this point you have
created an audit for the instance, but have not specified what to audit.

2. ENABLE AUDIT
SELECT AUDIT->RIGHT CLICK->ENABLE

3.You will do that in the next step, first by right-clicking on the Server Audit
Specifications' as follows:

Note that here we are creating an audit for the server, or instance level.
4. ENABLE SERVER AUDIT SPECIFICATION
SELECT AUDIT-> SERVER AUDIT SPECIFICATION ->
RIGHT CLICK ON SERVER AUDIT SPECIFICATION ->ENABLE

Database-level:
In order to create a database audit you would navigate in SSMS to the database
you want to audit and expand the security folder as follows:
Go to Database->security->Database Audit Specification

You can right-click on the Database Audit Specifications folder to create a new
database audit. Each type of audit specification has a distinct set of options to
select from. For this example we will continue with a database specification:

ENABLE UR DATABASE AUDIT SPECIFICATION

SELECT DATABASE->SECURITY->DATABASE AUDIT SPECIFICATION->
SELECT DATABASE AUDIT SPECIFICATION R.C ENABLE

Select the server audit by clicking in the dropdown window. Then select an audit
action type. In the example above I have selected a handful of action types and
associated object classes, object names, and principal names. Click OK and the
audit specification is created.
At this point we have created a server audit and a database audit that is associated
with the server audit. Neither of these audits are enabled. You can enable them by
right-clicking on each and selecting 'enable'.
Once enabled, SQL Server Audit is now collecting information. You can review the
details by right-clicking on the server audit and selecting 'View Audit Logs'.

And the viewer should resemble the following: