download
TRANSCRIPT
Auditing Events in SQL Server 2005
Jasper SmithSQL Server MVP
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Agenda
Trace EnhancementsDDL TriggersEvent Notifications
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Trace Enhancements
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Default Trace
On by default (controlled by sp_configure 'default trace enabled‘)
Stored in the same folder as the SQL Server Error Log
Location can be changed by modifying the –e start up parameter using the SQL Server Configuration Manager
Captures mainly audit type trace events
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Reading a running trace
The system function fn_trace_gettable has been enhanced to allow the reading of running server side traces e.g.
select * from :: fn_trace_gettable
('C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_15.trc',-1)
order by StartTime desc
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
SMO Trace API
In the Microsoft.SqlServer.Management.Trace namespace
Can read and write Trace Files and Trace Tables Trace sources include SQL Server, Analysis
Services and SSIS log tables. Can be used to manipulate trace data
programmatically
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Trace Demo
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
DDL Triggers
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
SQL 2005 Trigger Types
Instead Of Triggers (DML) After Triggers (DML) DDL Triggers
React to DDL
CREATE , ALTER , DROP
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
DDL Trigger SyntaxCREATE TRIGGER trigger_name
ON { ALL SERVER | DATABASE }
[ WITH <ddl_trigger_option>]
{ FOR | AFTER } { event_type | event_group }
AS { sql_statement [ ...n ]
| EXTERNAL NAME < method specifier > }
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
DDL Trigger Scope
DATABASE Applies the scope of a DDL trigger to the current
database. If specified, the trigger fires whenever event_type or event_group happens in the current database
ALL SERVER Applies the scope of a DDL trigger to the current
server. If specified, the trigger fires whenever the server level event_type or event_group happens anywhere in the current server
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event GroupsDDL_DATABASE_LEVEL_EVENTS
DDL_TABLE_VIEW_EVENTS
DDL_TABLE_EVENTS(CREATE_TABLE,ALTER_TABLE,DROP_TABLE)
DDL_VIEW_EVENTS(CREATE_VIEW,ALTER_VIEW,DROP_VIEW)
DDL_INDEX_EVENTS(CREATE_INDEX,ALTER_INDEX,DROP_INDEX)
DDL_STATISTICS_EVENTS (CREATE_STATISTICS,ALTER_STATISTICS,DROP_STATISTICS)
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
eventdata() Function
eventdata() returns a value of type xml The base XML schema returned by the eventdata()
function depends on the scope and event type
TSQLTSQL
CREATE TRIGGER DDL_TESTON DATABASEFOR CREATE_TABLEASPRINT CONVERT(nvarchar(max),eventdata()))
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
eventdata() output<EVENT_INSTANCE>
<PostTime>2004-05-26T21:10:36.393</PostTime><SPID>55</SPID><EventType>CREATE_TABLE</EventType><ServerName>WIN2003</ServerName><LoginName>foo</LoginName><UserName>foo</UserName><DatabaseName>test</DatabaseName><SchemaName>dbo</SchemaName><ObjectName>table1</ObjectName><ObjectType>TABLE</ObjectType>
<TSQLCommand><SetOptions ANSI_NULLS="ON" AN...../><CommandText>create table foo(bar int)</CommandText>
</TSQLCommand></EVENT_INSTANCE>
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Rollbacks and DDL Triggers
If a DDL action is rolled back, so is the logging of the event in an audit table BEGIN TRAN
CREATE TABLE TEST(a int)ROLLBACK TRAN
Within a DDL trigger you can rollback the DDL that caused it to fireCREATE TRIGGER DDLDEMO_ROLBACK ON DATABASE FOR CREATE_TABLE AS PRINT 'Create Table is not allowed‘ ROLLBACK
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
DDL Trigger Demo
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event Notifications
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event Notifications
Objects that sends messages about a database or server event to a service broker service
To create an event notification, you must complete the following steps:
Create a target service to receive event notifications. Create the event notification.
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Service Broker
Service Broker provides queuing and reliable messaging as part of the Database Engine
Event Notification Service is built in to all databases
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event Notification Syntax
CREATE EVENT NOTIFICATION name
ON { SERVER | DATABASE | QUEUE }
[ WITH FAN_IN ]
FOR { event_type | event_group } [ ,...n ]
TO SERVICE broker_service
{ 'broker_instance_specifier' | 'current database' }
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Trace Events
In addition to the DDL events available in DDL Triggers, Event Notifications also allow a subset of Trace events to be captured
Audit_Login Audit_Login_Failed Lock_Deadlock Data_File_Auto_Grow Blocked_Process_Report
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Creating Event Notifications
Create a QUEUE Create a SERVICE on a QUEUE Create a ROUTE for the SERVICE Create an EVENT NOTIFICATION to a
SERVICE Create a SERVICE PROGRAM to process
notification events in the QUEUE
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event Notifications Demo
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
WMI Integration
WMI Provider for Server Events (SQLWEP) SQL 2005 is a managed WMI object Consume events based on an Event
Notification Query WMI Query Language (WQL) – simplified form
of SQL with WMI specific extensions Easily accessible via the System.Management
namespace in the .NET Framework
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
WQL ExamplesSELECT * FROM DDL_DATABASE_LEVEL_EVENTS WHERE DatabaseName = 'AdventureWorks‘
SELECT * FROM ALTER_TABLE WHERE DatabaseName = "AdventureWorks" AND SchemaName = "Sales" AND ObjectType="Table" AND ObjectName = "SalesOrderDetail"
SELECT * FROM DEADLOCK_GRAPH
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
SQL Agent alerts can react to WMI events NOT limited to SQL Server Events
WMI and SQL Agent
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
WMI Events Demo
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Server Trace Summary
Lowest overhead If using standard trace files there can be
an increased administration overhead Need to recreate trace after server restart Limited notification ability
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
DDL Triggers Summary
DDL Triggers are synchronous DDL Triggers are tightly coupled to the
event that caused them to fire DDL Triggers can respond only to DDL
events DDL Triggers can issue a rollback
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Event Notifications Summary
Event Notifications are asynchronous Target local or remote service React to DDL and subset of Trace events Integrate with WMI and SQL Agent alerts Some additional processing overhead
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Questions ?
Slides will be available soon on
sqlpass.org and sqldbatips.com
Email [email protected]
Enterprise Database Administration and Deployment SIG ▪ S323 ▪ 09/29/2005 ▪ 4:45-6:15
Thank You!
Thank you for attending this session and the
2005 PASS Community Summit in Grapevine!
Please help us improve the quality of our conference by completing your session evaluation form. Completed
evaluation forms may be given to the room monitor as you exit or to staff at the registration desk.