CLoudOps Now!

,

Azure Log Analytics fields for Azure SQL Server/Database

Posted by

Mohammad Gufran Jahangir

Here’s a detailed explanation of the Azure Log Analytics fields for SQLSecurityAuditEvents from an Azure SQL Server (e.g., server-level audit logs):

Log Analytics fields for SQLSecurityAuditEvents from an Azure SQL Server

🔐 Audit Metadata & Identity Fields

FieldMeaning
TenantIdAzure Active Directory tenant ID of your organization.
SubscriptionIdAzure subscription ID where the SQL Server resource is hosted.
ResourceGroupName of the Azure resource group that contains the SQL Server.
ResourceProviderAzure service provider – here it’s MICROSOFT.SQL for SQL Database.
ResourceTypeThe type of resource (e.g., SERVERS/DATABASES).
ResourceThe name of the database resource – here it’s MASTER.
LogicalServerName_sThe logical SQL server name (e.g., c10wdedhdatamart01d).
ResourceIdFull resource path of the database in Azure (used for correlation).

🕒 Timestamps

FieldMeaning
TimeGeneratedWhen the log was collected by Azure Monitor (UTC).
event_time_tActual time the event occurred in the SQL Server (UTC).
originalEventTimestamp_tOriginal timestamp of the audit event (UTC).

📘 Audit & Operation Information

FieldMeaning
CategoryLog category – here it’s SQLSecurityAuditEvents.
OperationNameType of audit event – usually “AuditEvent”.
action_id_sCode for the operation – e.g., BCM = “Batch Completed”.
action_name_sName of the action performed – e.g., BATCH COMPLETED.
succeeded_sIndicates whether the operation was successful (true or false).
audit_schema_version_dVersion of the audit schema.
event_id_gUnique ID for the specific audit event.
is_server_level_audit_sIndicates if this is a server-level audit (true/false).

🧑‍💻 User & Session Information

FieldMeaning
session_id_dInternal SQL Server session ID for the query.
server_principal_id_dInternal ID of the server principal (login/user).
server_principal_name_sThe name of the user/login that ran the query (e.g., certificate login).
session_server_principal_name_sFull name of the session’s identity (often includes instance cert).
server_principal_sid_sSecurity identifier (SID) of the login/user.
database_principal_id_dInternal ID of the database-level principal (user).
database_principal_name_sDatabase-level user name (e.g., public).

🧾 Query & Target Object Info

FieldMeaning
statement_sThe actual SQL query run – e.g., SELECT * FROM sys.workload_management_workload_groups.
object_name_sThe database object accessed (table/view/procedure etc.).
object_id_dInternal ID of the object accessed.
class_type_sType of securable accessed – here, DB = database.
class_type_description_sDescription of the object class – DATABASE.
securable_class_type_sSecurable class – what is being secured or audited (DATABASE).

⏱️ Performance & Outcome Info

FieldMeaning
duration_milliseconds_dDuration of the operation in milliseconds.
response_rows_dNumber of rows returned.
affected_rows_dNumber of rows affected (for INSERT, UPDATE, etc.).
succeeded_sIndicates if the operation was successful (true or false).

🌐 Connection & Client Info

FieldMeaning
client_ip_sIP address of the client (can be <named pipe> for internal or secure connections).
host_name_sHostname of the client machine connecting to SQL Server.
application_name_sName of the application or tool executing the query (e.g., DWShellDb).
client_tls_version_dTLS version used for the connection (0 if not applicable).
connection_id_gUnique identifier of the client connection.

🔄 Transaction Info (if applicable)

FieldMeaning
transaction_id_dTransaction ID if the query was part of a SQL transaction.
user_defined_event_id_dReserved for custom user-defined audit events (usually 0).
target_server_principal_id_dTarget server user ID (for permission/audit scope).
target_database_principal_id_dTarget database user ID.

🧩 Security Context

FieldMeaning
permission_bitmask_gBitmask representing the specific permission checked.
sequence_number_dOrder of the event in an audit batch.
sequence_group_id_gID grouping multiple audit events together logically.

Azure Log Analytics entry at the database level

Here’s a detailed explanation of the fields from the Azure Log Analytics entry at the database level (SqlRequests category) for HS SQL / Dedicated SQL Pool (Synapse):

🔷 Azure SQL Request Log Fields – Explained

FieldDescription
TenantIdThe Azure Active Directory (AAD) tenant ID associated with your Azure environment.
TimeGeneratedTimestamp when the log was collected by Azure Monitor (in UTC).
ResourceIdFull path to the database resource in Azure (includes subscription, resource group, server, and database).
CategoryLog type — SqlRequests indicates it’s tracking SQL query requests.
ResourceGroupThe Azure resource group containing the database resource.
SubscriptionIdID of the Azure subscription that owns the database.
ResourceProviderAzure service provider — MICROSOFT.SQL for SQL services.
ResourceThe name of the database — here it is EDH_DATA_MART.
ResourceTypeIndicates what type of Azure resource it is — in this case, SERVERS/DATABASES.
OperationNameType of event captured — here it’s SqlRequestsEvent, which logs SQL query execution details.
LogicalServerName_sThe name of the logical SQL Server (e.g., c10wdedhdatamart01d).
SourceSystemAlways Azure — indicates logs are collected from an Azure resource.
Status_sIndicates the status of the query — Complete means the query finished successfully.
location_sAzure region where the resource is hosted — here, it’s westus.
TypeResource type in the log ingestion context — typically AzureDiagnostics.
_ResourceIdSame as ResourceId, but normalized for diagnostics queries in Kusto (lowercase path).

🧾 Detailed Query Execution Info (from AdditionalFields)

FieldDescription
RequestIdUnique identifier for the SQL request — useful for tracing across logs.
StartTimeThe exact time when the query started execution.
EndTimeThe exact time when the query finished execution.
ErrorIdIf the query failed, this field would contain the error code (empty here = no error).
CommandThe type of SQL command executed (e.g., SELECT, INSERT) — blank here, so possibly system internal or metadata access.
StepIndexIndex of the step in a distributed query (used in Synapse MPP execution).
PdwNodeIdThe ID of the node in the Synapse MPP engine that processed this part of the query.
DistributionIdInternal distribution ID used in parallel processing in dedicated SQL pools.
RowCountNumber of rows returned or affected — -1 may indicate no rows returned or metadata access.
SpidSQL Server Process ID — uniquely identifies the session within the server.

📌 Use Case of These Logs

These logs are particularly helpful when:

  • Debugging performance issues or slow-running queries
  • Monitoring distributed query execution in Synapse SQL Pools
  • Tracking which nodes processed specific steps
  • Checking success/failure status of background or user queries
, ,

Mohammad Gufran Jahangir

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags

#AQE Access Control Issues Ansible Templates Apache Spark AWS interview questions that are commonly asked in interviews Azure Databricks Azure Databricks Tutorial: How to work with Azure Databricks Azure Networking Azure SQL Database Azure SQL Database Unavailable AZURE SQL SERVER Databricks DevOps DevOpsSchool Explore the data in your lakehouse with a notebook Getting Started with Azure Databricks Git How to push/pull and clone files between Local machine and GitHub Kubernetes Merge and Pull Microsoft Fabric MLOps Foundation Certification MotoShare Partition table Rajesh Kumar Snowflake terraform Terraform Backend Unity Catalog What are the security considerations specific to CloudOps?

0
Would love your thoughts, please comment.x
()
x