SQL Server 2005 Change Auditing - sql-server

Is there a built in way in SQL Server 2005 to audit things specifically like deleting a stored procedure? Is there a history table that I can query? We have a mystery sproc that has disappeared a few times now.

You can build this using DDL triggers:
http://msdn.microsoft.com/en-us/library/ms190989.aspx

Only if you use DDL triggers or use profiler to trace text "%DROP%PROC%procname%"

Note that in SQL Server 2008 they also now have AUDIT to replace Profiler Traces for auding activities. It is similar but has its own configuration UI and UI to view results

You can setup a profiler trace to capture the Audit Schema Object Management event and filter based on the database name you care about. Any time an object in the schema is created, dropped, edited it will fire an event in profiler that includes the person who did the change and the name of the stored procedure.
You will want at least these profiler columns:
ApplicationName - name of app user was running when they made change
DatabaseName - Databse containing the object changed
EventSubClass - Type of action shows Alter, Modify, Drop, Create etc
LoginName - user making change
ObjectName - object affected

[late one but adds details on how to see who made the change even before auditing system is put into place]
Others have already covered different ways you can start auditing data in order to monitor future changes but if you originally didn’t have any auditing system in place then it’s very difficult to find out who did what and when historically.
Only option is to try reading transaction log assuming database is in full recovery mode. Problem is that this is not supported by default. Options are:
Third party tools such as ApexSQL Log or Quest Toad
Undocumented functions such as DBCC LOG or fn_dblog
See these topics for more details:
How to view transaction log in SQL Server 2008
SQL Server Transaction Log Explorer/Analyzer
How to see query history in SQL Server Management Studio

I agree. It can be the SQL Server profiler with filters. The DDL triggers existed in SQL Server.
You could create something like this:
CREATE TRIGGER ddl_drop_procedure
ON DATABASE
FOR DROP_PROCEDURE
AS
RAISERROR ('You deleted a stored procedure',10, 1)
GO
The other option is to use third party tools like Auto Audit from codeplex, or apexSQL trigger.

Related

Where is the SQL Server Database Trigger Wizard or Dialog Box?

This question is about SQL Server
In the past, I have created a stored procedure that was run on a timely basis by (if I remember correctly) a database trigger. As I recall, there was a wizard (dialog box with "NEXT" buttons) that I used to set things up to have the stored procedure run automatically. That was some time ago. Now when I search for database trigger information online, I find only information about -- creating triggers for when a table is updated or modified. Maybe I am using the wrong terminology and what I am looking for is not a "trigger" at all.
It's not a trigger what you are looking for.
You need to find sql server agent in sql server managment studio, create a new job, add a step, select database and use the command EXEC yourSpName to run the stored procedure.
The in the schedule you can set when you want to run it.

Stored procedure changes not noticed by migrator

Another team in my company is using an unknown-to-me migrator tool.
When I edit a stored procedure in SSMS (ALTER PROCEDURE xyz...), the migrator notices the change, and they push a button to send it on to Test and Prod.
However, if I use a custom C# app to connect to the SQL Server and run the same ALTER, the procedure is changed, but the migrator refuses to see the change. So the workflow stops.
I even changed my app to drop and recreate the procure from scratch, and the migrator still doesn't see the change.
sys.objects clearly has fresh dates in create_date and modify_date.
Any idea what this migrator might be using behind the scenes that might be causing my grief?
The ways the tool might detect changes are an SSMS add-in, DDL trigger, or server-side trace. With the the last 2 methods, SSMS-only changes might be filtered by examining the application name.
Try specifying application name "Microsoft SQL Server Management Studio" in your SqlClient connections string. That should work if schema changes are captured by a filtered DDL trigger or trace.

Automate sql server profiler to record data then save data to a table continuously

Is there a way to automate sql server profiler to record data then save data to a table continuously?
The reason, I am supporting a fragile SQL Server application and there is no auditing. I receive a lot of support calls regarding the deletion of records. I want a quick way to be able to view who has changed what data.
You can configure your profiler to save the trace directly to table as described here: How To Save a SQL Server Trace Data to a Table
But it's not a good idea for 2 reasons: first, profiler itself will be loading up your server, second, writing to table is the most costly option and you can even loose some events.
Maybe if you are on Enterprise edition you can use SQL Server database audit
that is more light weight
And here you can find a complete example of setting up database audit that audits the DELETE events
Here are few articles for your reference.
Save trace results to a database table
https://learn.microsoft.com/en-us/sql/tools/sql-server-profiler/save-trace-results-to-a-table-sql-server-profiler
Save Trace Results to a Table
https://technet.microsoft.com/en-us/library/ms191276(v=sql.110).aspx
9 Steps to an Automated Trace
http://sqlmag.com/t-sql/9-steps-automated-trace
alternatively, you may try this automated solution ( https://www.lepide.com/lepideauditor/sql-server-auditing.html ) to accomplish this task.

How to audit SQL Server 2008 queries through WCF Services?

I want to save any kind of log/tables with every query executed by my application.
I know I could do this by coding it (before I make any query, I insert a new row in a log table with the query and the user who is executing it.
I have read it can be done automatically but I'm not sure how can it work with WCF Services. I mean every query is going to be executed by the same SQL user and this wouldn't be very useful for audit operations (I need to know WHO made every query, and users will be validated against my own users tables).
Have you ever had a similar scenario? Thanks in advance!
As a starting point it may be worth looking into doing this via SQL Server Profiler. You can normally find this in the Tools Menu in Management Studio.
You can set up a trace to capture all SQL run on a server. More importantly you have a myriad of filter options which can be applied so that you only capture the data you are interested in (e.g. DatabaseName, UserName).
This information can be stored directly in a SQL Table, which should give you the abillity to join onto. Of course running anything like this will result in some overhead on the SQL box.
You can try the SQL Server Audit feature. It audits singe or groups of events both on server and database level. However, be advised that the database level auditing is available in SQL Server Enterprise and Developer editions only

regarding sql server transaction log

if some one delete any object from my database like table,view,sp etc then how can get those detail like who delete and when delete from transaction log. is it possible. please tell me easy way to read transaction log as a result i can get those detail properly.
thanks
No, ransaction log was created for different purposes. There are some product different vendors which is trying to get information from transaction log, but it is not right way.
who delete and when delete
If you need this information you need to create triggers to table for delete or update and collect this information.
If you use MS SQL 2008 you can use Change Data Capture feature.
Apparently you could use a third part product such as Apex SQL Log, although personally I have not used it.
Dependant on how recent the incident occured, you may also be able to extract the information you require from the built in reports in SQL Server 2005 such as the Schema Changes History Report. This information is accessable to you via means of the Default Trace. See using the Default Trace for details.
What you really need to take away from your incident is to use the lesson to devise a schema audit strategy for your environment. There are plenty of articles on the internet that detail how this can be achieved using Triggers. For example see Using DDL Triggers in SQL Server 2005 to Capture Schema Changes
You can restore the database (without overwriting it!) from a full backup / transaction log backup and then copy the deleted objects from there. It's good practice to save the source code for your stored procedures, views and tables outside the database, usually in a source control system, so you don't have to restore database backup to get them.
You can use either DDL triggers or The SQL Server Audit feature
DDL triggers fire on CREATE, ALTER, DROP, and operations related to database object security settings (e.g. GRANT, DENY…)
In the following example, a DDL trigger tracks the CREATE, ALTER, and DROP operations executed on database tables, stored procedures, functions, and views. The trigger example uses a previously created repository table (DDL_Events_by_DDL_TRIGGER) with appropriate rows
CREATE TRIGGER DDL_TRIGGER ON DATABASE
FOR CREATE_TABLE ,
ALTER_TABLE ,
DROP_TABLE ,
CREATE_PROCEDURE ,
ALTER_PROCEDURE ,
DROP_PROCEDURE ,
CREATE_FUNCTION ,
ALTER_FUNCTION ,
DROP_FUNCTION ,
CREATE_VIEW ,
ALTER_VIEW ,
DROP_VIEW
AS
DECLARE
#event xml;
SET
#event = EVENTDATA();
INSERT INTO DDL_Events_by_DDL_TRIGGER
VALUES
(
REPLACE(CONVERT(varchar(58),
#event.query('data(/EVENT_INSTANCE/PostTime)')), 'T', ' ')
,
CONVERT(varchar(185),
#event.query('data(/EVENT_INSTANCE/LoginName)'))
,
CONVERT(varchar(185),
#event.query('data(/EVENT_INSTANCE/DatabaseName)'))
,
CONVERT(varchar(185),
#event.query('data(/EVENT_INSTANCE/SchemaName)'))
,
CONVERT(varchar(185),
#event.query('data(/EVENT_INSTANCE/ObjectName)'))
,
CONVERT(varchar(185),
#event.query('data(/EVENT_INSTANCE/ObjectType)'))
,
CONVERT(varchar(max),
#event.query('data(/EVENT_INSTANCE/TSQLCommand/CommandText)'))
);
The repository table will contain (as specified in the trigger) DDL operations on the database schema, along with information about who, when, and what was altered
Another native method that can be used to determine whether a SQL Server database has been altered is the SQL Server Audit feature. The feature was introduced in SQL Server 2008 and it collects both server and database level actions raised by the SQL Server Extended Events feature. However, the database level action groups are available in SQL Server Enterprise and Developer editions only

Resources