Azure SQL Database auditing tracks database events and writes them to an audit log in your Azure storage account, or sends them to Event Hub or Log Analytics for downstream processing and analysis.
Blob audit
Audit logs stored in Azure Blob storage are stored in a container named sqldbauditlogs
in the Azure storage account.
The directory hierarchy within the container is of the form
<ServerName>/<DatabaseName>/<AuditName>/<Date>/
The Blob file name format is
<CreationTime>_<FileNumberInSession>.xel
where CreationTime
is in UTC hh_mm_ss_ms
format, and FileNumberInSession
For example, for database Database1
on Server1
the following is a possible valid path:
Server1/Database1/SqlDbAuditing_ServerAudit_NoRetention/2019-02-03/12_23_30_794_0.xel
Azure SQL Database
This example reads from a file that is named ShiraServer/MayaDB/SqlDbAuditing_Audit/2017-07-14/10_45_22_173_1.xel
:
SELECT *
FROM sys.fn_get_audit_file('https://mystorage.blob.core.windows.net/sqldbauditlogs/ShiraServer/MayaDB/SqlDbAuditing_Audit/2017-07-14/10_45_22_173_1.xel', DEFAULT, DEFAULT);
GO
his example reads from the same file as above, but with additional T-SQL clauses (TOP, ORDER BY, and WHERE clause for filtering the audit records returned by the function):
SELECT TOP 10 *
FROM sys.fn_get_audit_file('https://mystorage.blob.core.windows.net/sqldbauditlogs/ShiraServer/MayaDB/SqlDbAuditing_Audit/2017-07-14/10_45_22_173_1.xel', DEFAULT, DEFAULT)
WHERE server_principal_name = 'admin1'
ORDER BY event_time;
GO
Tables returned
Column name | Type | Description |
---|---|---|
action_id | varchar(4) | ID of the action. Not nullable. |
additional_information | nvarchar(4000) | Unique information that only applies to a single event is returned as XML. A few auditable actions contain this kind of information. One level of T-SQL stack will be displayed in XML format for actions that have T-SQL stack associated with them. The XML format will be: <tsql_stack><frame nest_level = '%u' database_name = '%.*s' schema_name = '%.*s' object_name = '%.*s' /></tsql_stack> Frame nest_level indicates the current nesting level of the frame. The Module name is represented in three part format (database_name, schema_name and object_name). The module name will be parsed to escape invalid xml characters like '\<' , '>' , '/' , '_x' . They will be escaped as _xHHHH\_ . The HHHH stands for the four-digit hexadecimal UCS-2 code for the characterIs nullable. Returns NULL when there is no additional information reported by the event. |
affected_rows | bigint | Applies to: Azure SQL Database only Number of rows affected by the executed statement. |
application_name | nvarchar(128) | Applies to: SQL Server 2017 (14.x) and later versions, and Azure SQL Database Name of client application that executed the statement that caused the audit event |
audit_file_offset | bigint | Applies to: SQL Server only The buffer offset in the file that contains the audit record. Not nullable. |
audit_schema_version | int | Always 1 |
class_type | varchar(2) | The type of auditable entity that the audit occurs on. Not nullable. |
client_ip | nvarchar(128) | Applies to: SQL Server 2017 (14.x) and later versions, and Azure SQL Database Source IP of the client application |
connection_id | GUID | Applies to: Azure SQL Database and SQL Managed Instance ID of the connection in the server |
data_sensitivity_information | nvarchar(4000) | Applies to: Azure SQL Database only Information types and sensitivity labels returned by the audited query, based on the classified columns in the database. |
database_name | sysname | The database context in which the action occurred. Is nullable. Returns NULL for audits occurring at the server level. |
database_principal_id | int | ID of the database user context that the action is performed in. Not nullable. Returns 0 if this doesn’t apply. For example, a server operation. |
database_principal_name | sysname | Current user. Is nullable. Returns NULL if not available. |
duration_milliseconds | bigint | Applies to: Azure SQL Database and SQL Managed Instance Query execution duration in milliseconds |
event_time | datetime2 | Date and time when the auditable action is fired. Not nullable. |
file_name | varchar(260) | The path and name of the audit log file that the record came from. Not nullable. |
is_column_permission | bit | Flag indicating if this is a column level permission. Not nullable. Returns 0 when the permission_bitmask = 0. 1 = true 0 = false |
object_id | int | The ID of the entity on which the audit occurred. This includes the following: Server objects Databases Database objects Schema objects Not nullable. Returns 0 if the entity is the Server itself or if the audit isn’t performed at an object level. For example, Authentication. |
object_name | sysname | The name of the entity on which the audit occurred. This includes the following: Server objects Databases Database objects Schema objects Is nullable. Returns NULL if the entity is the Server itself or if the audit isn’t performed at an object level. For example, Authentication. |
obo_middle_tier_app_id | varchar(120) | Applies to: Azure SQL Database and SQL Managed Instance The application ID of the middle tier application which connects to SQL Database using OBO access. Is nullable. Returns NULL if the request is not made using OBO access. |
permission_bitmask | varbinary(16) | In some actions, this is the permissions that were grant, denied, or revoked. |
response_rows | bigint | Applies to: Azure SQL Database and SQL Managed Instance Number of rows returned in the result set. |
schema_name | sysname | The schema context in which the action occurred. Is nullable. Returns NULL for audits occurring outside a schema. |
sequence_group_id | varbinary | Applies to: SQL Server 2016 (13.x) and later versions Unique identifier |
sequence_number | int | Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. Not nullable. |
server_instance_name | sysname | Name of the server instance where the audit occurred. The standard server\instance format is used. |
server_principal_id | int | ID of the login context that the action is performed in. Not nullable. |
server_principal_name | sysname | Current login. Is nullable. |
server_principal_sid | varbinary | Current login SID. Is nullable. |
session_id | smallint | ID of the session on which the event occurred. Not nullable. |
session_server_principal_name | sysname | Server principal for session. Is nullable. Returns the identity of the original login that was connected to the instance of SQL Server in case there were explicit or implicit context switches. |
statement | nvarchar(4000) | Transact-SQL statement if it exists. Is nullable. Returns NULL if not applicable. |
succeeded | bit | Indicates whether the action that triggered the event succeeded. Not nullable. For all events other than login events, this only reports whether the permission check succeeded or failed, not the operation. 1 = success 0 = fail |
target_database_principal_id | int | The database principal the GRANT/DENY/REVOKE operation is performed on. Not nullable. Returns 0 if not applicable. |
target_database_principal_name | sysname | Target user of action. Is nullable. Returns NULL if not applicable. |
target_server_principal_id | int | Server principal that the GRANT/DENY/REVOKE operation is performed on. Not nullable. Returns 0 if not applicable. |
target_server_principal_name | sysname | Target login of action. Is nullable. Returns NULL if not applicable. |
target_server_principal_sid | varbinary | SID of target login. Is nullable. Returns NULL if not applicable. |
transaction_id | bigint | Applies to: SQL Server 2016 (13.x) and later versions Unique identifier to identify multiple audit events in one transaction |
user_defined_event_id | smallint | Applies to: SQL Server 2012 (11.x) and later, Azure SQL Database and SQL Managed Instance User defined event ID passed as an argument to sp_audit_write . NULL for system events (default) and non-zero for user-defined event. |
user_defined_information | nvarchar(4000) | Applies to: SQL Server 2012 (11.x) and later versions, Azure SQL Database, and SQL Managed Instance Used to record any extra information the user wants to record in audit log by using the sp_audit_write stored procedure. |
Log Analytics
Audit events are written to Log Analytics workspace defined during auditing configuration, to the AzureDiagnostics
table with the category SQLSecurityAuditEvents
,and table with the category DevOpsOperationsAudit
for Microsoft Support Operations.
Audit log fields
Name (blob) | Name (Event Hubs/Log Analytics) | Description | Blob type | Event Hubs/Log Analytics type |
---|---|---|---|---|
action_id | action_id_s | ID of the action | varchar(4) | string |
action_name | action_name_s | Name of the action | N/A | string |
additional_information | additional_information_s | Any additional information about the event, stored as XML | nvarchar(4000) | string |
affected_rows | affected_rows_d | Number of rows affected by the query | bigint | int |
application_name | application_name_s | Name of client application | nvarchar(128) | string |
audit_schema_version | audit_schema_version_d | Always 1 | int | int |
class_type | class_type_s | Type of auditable entity that the audit occurs on | varchar(2) | string |
class_type_desc | class_type_description_s | Description of auditable entity that the audit occurs on | N/A | string |
client_ip | client_ip_s | Source IP of the client application | nvarchar(128) | string |
connection_id | N/A | ID of the connection in the server | GUID | N/A |
data_sensitivity_information | data_sensitivity_information_s | Information types and sensitivity labels returned by the audited query, based on the classified columns in the database. | nvarchar(4000) | string |
database_name | database_name_s | The database context in which the action occurred | sysname | string |
database_principal_id | database_principal_id_d | ID of the database user context that the action is performed in | int | int |
database_principal_name | database_principal_name_s | Name of the database user context in which the action is performed | sysname | string |
duration_milliseconds | duration_milliseconds_d | Query execution duration in milliseconds | bigint | int |
event_time | event_time_t | Date and time when the auditable action is fired | datetime2 | datetime |
host_name | N/A | Client host name | string | N/A |
is_column_permission | is_column_permission_s | Flag indicating if this is a column level permission. 1 = true, 0 = false | bit | string |
N/A | is_server_level_audit_s | Flag indicating if this audit is at the server level | N/A | string |
object_ id | object_id_d | The ID of the entity on which the audit occurred. This includes the : server objects, databases, database objects, and schema objects. 0 if the entity is the server itself or if the audit is not performed at an object level | int | int |
object_name | object_name_s | The name of the entity on which the audit occurred. This includes the : server objects, databases, database objects, and schema objects. 0 if the entity is the server itself or if the audit is not performed at an object level | sysname | string |
obo_middle_tier_app_id | obo_middle_tier_app_id_s | The application id of the middle tier application which connected to SQL Database using OBO access. | varchar(120) | string |
permission_bitmask | permission_bitmask_s | When applicable, shows the permissions that were granted, denied, or revoked | varbinary(16) | string |
response_rows | response_rows_d | Number of rows returned in the result set | bigint | int |
schema_name | schema_name_s | The schema context in which the action occurred. NULL for audits occurring outside a schema | sysname | string |
N/A | securable_class_type_s | Securable object that maps to the class_type being audited | N/A | string |
sequence_group_id | sequence_group_id_g | Unique identifier | varbinary | GUID |
sequence_number | sequence_number_d | Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. Note that Azure SQL Database and Azure Synapse Audit stores 4000 characters of data for character fields in an audit record. When there are more than 4000 characters, any data beyond the first 4000 characters will be truncated | int | int |
server_instance_name | server_instance_name_s | Name of the server instance where the audit occurred | sysname | string |
server_principal_id | server_principal_id_d | ID of the login context in which the action is performed | int | int |
server_principal_name | server_principal_name_s | Current login | sysname | string |
server_principal_sid | server_principal_sid_s | Current login SID | varbinary | string |
session_id | session_id_d | ID of the session on which the event occurred | smallint | int |
session_server_principal_name | session_server_principal_name_s | Server principal for session | sysname | string |
statement | statement_s | T-SQL statement that was executed (if any) | nvarchar(4000) | string |
succeeded | succeeded_s | Indicates whether the action that triggered the event succeeded. For events other than login and batch, this only reports whether the permission check succeeded or failed, not the operation. 1 = success, 0 = fail | bit | string |
target_database_principal_id | target_database_principal_id_d | The database principal the GRANT/DENY/REVOKE operation is performed on. 0 if not applicable | int | int |
target_database_principal_name | target_database_principal_name_s | Target user of action. NULL if not applicable | string | string |
target_server_principal_id | target_server_principal_id_d | Server principal that the GRANT/DENY/REVOKE operation is performed on. Returns 0 if not applicable | int | int |
target_server_principal_name | target_server_principal_name_s | Target login of action. NULL if not applicable | sysname | string |
target_server_principal_sid | target_server_principal_sid_s | SID of target login. NULL if not applicable | varbinary | string |
transaction_id | transaction_id_d | SQL Server only (starting with 2016) – 0 for Azure SQL Database | bigint | int |
user_defined_event_id | user_defined_event_id_d | User defined event ID passed as an argument to sp_audit_write. NULL for system events (default) and non-zero for user-defined event. | smallint | int |
user_defined_information | user_defined_information_s | User defined information passed as an argument to sp_audit_write. NULL for system events (default) and non-zero for user-defined event. | nvarchar(4000) | string |