I am wanting to know if anyone is aware if there is an Extended Event I could utilize to detect if a SQL server/database audit definition has been altered, created, deleted, etc.
Currently I am utilizing SQL server/database audits, but am being introduced to Extended Events.
A lot of what I'm googling is related to XE vs. SQL Audits. Not so much on how to use XE to monitor SQL audits.
Looking for a way to "Audit my Audits".
Thank you.
Any Audit will track its own starts and stops under the Audit Session Changed (AUSC) event. I created an Audit on my local instance and merely enabled/disabled it and then ran the following query:
select actions.name, event_time, additional_information
from sys.fn_get_audit_file('c:\temp\TestAudit*', DEFAULT, DEFAULT) as events
join sys.dm_audit_actions as actions
on actions.action_id = events.action_id;
Here's what I see:
name event_time additional_information
AUDIT SESSION CHANGED 2022-04-10 16:41:58.7244182 <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[TestAudit$A]]></session><action>event enabled</action><startup_type>manual</startup_type><object><![CDATA[audit_event]]></object></action_info>
AUDIT SESSION CHANGED 2022-04-10 16:42:09.2291167 <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[TestAudit$A]]></session><action>destroyed</action></action_info>
AUDIT SESSION CHANGED 2022-04-10 16:42:09.2291167 <action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><session><![CDATA[TestAudit$A]]></session><action>event disabled</action><object><![CDATA[audit_event]]></object></action_info>
Related
This question is related to: Debezium How do I correctly register the SqlServer connector with Kafka Connect - connection refused
In Windows 10, I have Debezium running on an instance of Microsoft SQL Server that is outside of a Docker container. I am getting the following warning every 390 milliseconds:
No maximum LSN recorded in the database; please ensure that the SQL
Server Agent is running
[io.debezium.connector.sqlserver.SqlServerStreamingChangeEventSource]
I checked Debezium's code on Github and the only place that I can find this warning states in the code comments that this warning should only be thrown if the Agent is not running. I have confirmed that the SQL Server Agent is running.
Why is this warning showing up and how do I fix it?
Note:
My current solution appears to only work in a non-production environment - per Docker's documentation.
LSN is the "pieces" of information related about your SQL Server changes. If you don't have LSN, is possible that your CDC is not running or not configured properly. Debezium consumes LSNs to replicate so, your SQL Server need to generate this.
Some approaches:
Did you checked if your table are with CDC enabled? This will list your tables with CDC enabled:
SELECT s.name AS Schema_Name, tb.name AS Table_Name
, tb.object_id, tb.type, tb.type_desc, tb.is_tracked_by_cdc
FROM sys.tables tb
INNER JOIN sys.schemas s on s.schema_id = tb.schema_id
WHERE tb.is_tracked_by_cdc = 1
Your CDC database are enabled and runnig? (see here)
Check if enabled:
SELECT *
FROM sys.change_tracking_databases
WHERE database_id=DB_ID('MyDatabase')
And check if is running:
EXECUTE sys.sp_cdc_enable_db;
GO
Your CDC service are running on SQL Server? See in docs
EXEC sys.sp_cdc_start_job;
GO
On enabling table in CDC, I had some issues with rolename. For my case, configuring at null solved my problem (more details here)
EXEC sys.sp_cdc_enable_table
#source_schema=N'dbo',
#source_name=N'AD6010',
#capture_instance=N'ZZZZ_AD6010',
#role_name = NULL,
#filegroup_name=N'CDC_DATA',
#supports_net_changes=1
GO
Adding more to William's answer.
For the case SQL Server Agent is not running
You can enable it by following :
Control panel >
Administrative Tools >
Click "Services"
Look for SQL Server Agent
Right click and Start
Now you can fire cdc job queries in your mssql.
PS: you need to have login access to windows server.
Another possibility of this error (I just ran into this warning myself this morning trying to bring a new DB online) is the SQL login does not have the permissions needed. Debezium runs the following SQL. Check that the SQL login you are using has access to run this stored procedure and it returns the tables you have set up in CDC. If you get an error or zero rows returned, work with your DBA to get the appropriate permissions set up.
EXEC sys.sp_cdc_help_change_data_capture
In the SQL Server Audit Add DB User Event Class, there are four Event Sub Classes defined:
Add
Drop
Grant database access
Revoke database access
(MS documentation found here)
When I set up SQL Server Profiler to trace the Audit Add DB User Event Class, it only seems to capture events with a subclass of 3 or 4, and not 1 or 2.
To test the trace, I am using the following SQL statements:
CREATE USER testuser FOR LOGIN testlogin;
DROP USER testuser;
When I run these statements in SQL Server Management Studio, SQL Server Profiler displays two Audit Add DB User Events, one with EventSubClass 3 (Grant database access) and one with EventSubClass 4 (Revoke database access), but does not display anything for EventSubClass 1 (Add) or EventSubClass 2 (Drop).
From what I can tell, all three even subclasses should be covered by the SQL statements used above. Is there something additional that needs to be configured in order to capture these event subclasses?
The old trace functionality has been deprecated since 2012. I did some testing and depending on what commands I executed I could get 2. But I never managed to get 1. If you look at the documentation for this event class, you'll see that it is documented to provide information when you use the ancient procedures sp_adduser, sp_dropuser, etc. But even when doing that it seems a bit flaky.
Sure, one could report this to MS, but they will (most likely) just say that you should use a technology which isn't deprecated. I.e., Extended Events. I very much doubt that MS will pour any resources into fixing this, even if that would consider this to be a bug in the first place. So, my recommendation will be the same: Look into Extended Events instead.
Here's a blog I wrote about "getting into" XE: http://sqlblog.karaszi.com/tips-for-getting-started-with-extended-events/
I want to track all failed logins to our production environment.
Including all selects to all objects.
Based on:
https://www.simple-talk.com/sql/database-administration/sql-server-audit-magic-without-a-wizard/
and
https://www.simple-talk.com/sql/database-administration/sql-server-security-audit-basics/
and in particular:
https://blogs.msdn.microsoft.com/sreekarm/2009/01/05/auditing-select-statements-in-sql-server-2008/
It suggests I need to name each object, in the schema for me to be able to save all the select statements, which I don't want to do. There are 1500 tables, and 2300 views.
Is it not possible for the audit, to take the database object, and any SELECT executed on that object is saved in the audit file, including user, statement and time etc.?
The failed login i get from the failed login principal group, but so far I've not been able to get the select statement, unless I specifically name the objects for which to audit.
Naming them, also means I have to update the audit every time a new view or table is added.
You can use Extended Events
For your specific scenario,you might want to select batch starting and batch completed events..
You can also add more info in the next screens like username,host info ...
finally,you can add filters to filter this only for one database or all databases or proc with speficic name and a lot..
This info can be logged to file for later analysis..
https://www.simple-talk.com/sql/database-administration/getting-started-with-extended-events-in-sql-server-2012/
For Failed logins,you can right click server and go to below page to audit ..this will be enabled by default and it will be logged to error log
How do I remove old jobs under the SQL Agent that represent SSRS subscriptions that are no longer used?
EDIT: None of the answers in the Q below show you a quick way to delete subscriptions from the ReportServer database.
How to delete old subscriptions
I think Nick.McDermaid should post his comment as an answer so I can accept it.
I just ran the tSQL generated by this select:
USE msdb
GO
SELECT
CMD = CONCAT('EXEC sp_delete_job #job_id = ''',job_id,'''')
,*
FROM dbo.sysjobs
WHERE description = 'This job is owned by a report server process. Modifying this job could result in database incompatibilities. Use Report Manager or Management Studio to update this job.'
I have a SQL Server 2005 database that has been deleted, and I need to discover who deleted it. Is there a way of obtaining this user name?
Thanks, MagicAndi.
If there has been little or no activity since the deletion, then the out-of-the-box trace may be of help. Try running:
DECLARE #path varchar(256)
SELECT #path = path
FROM sys.traces
where id = 1
SELECT *
FROM fn_trace_gettable(#path, 1)
[In addition to the out-of-the-box trace, there is also the less well-known 'black box' trace, which is useful for diagnosing intermittent server crashes. This post, SQL Server’s Built-in Traces, shows you how to configure it.]
I would first ask everyone who has admin access to the Sql Server if they deleted it.
The best way to retrieve the information is to restore the latest backup.
Now to discuss how to avoid such problems in the future.
First make sure your backup process is running correctly and frequently. Make transaction log baclup evey 15 mintues or half an hour if it is a higly transactional database. Then the most you lose is a half an hour's worht of work. Practice restoring the database until you can easily do it under stress.
In SQL Server 2008 you can add DDL triggers (not sure if you can do this in 2005) which allow you to log who did changes to structure. It might be worth your time to look into this.
Do NOT allow more than two people admin access to your production database - a dba and a backup person for when the dba is out. These people should load all changes to the database structure and code and all of the changes should be scripted out, code reviewed and tested first on QA. No unscripted, "run by the seat of your pants" code should ever be run on prod.
Here is bit more precise TSQL
SELECT DatabaseID,NTUserName,HostName,LoginName,StartTime
FROM
sys.fn_trace_gettable(CONVERT(VARCHAR(150),
( SELECT TOP 1
f.[value]
FROM sys.fn_trace_getinfo(NULL) f
WHERE f.property = 2
)), DEFAULT) T
JOIN sys.trace_events TE ON T.EventClass = TE.trace_event_id
WHERE TE.trace_event_id =47 AND T.DatabaseName = 'delete'
-- 47 Represents event for deleting objects.
This can be used in the both events of knowing or not knowing the database/object name. Results look like this: