堆栈内存溢出
  简体   繁体   English

SQL Server跟踪未捕获所有审核添加数据库用户事件

[英]SQL Server Trace not capturing all Audit Add DB User events

 原文  2018-11-13 19:19:27       sql-server/ sql-server-2014/ sql-trace

问题描述

In the SQL Server Audit Add DB User Event Class , there are four Event Sub Classes defined: 在“ SQL Server 审核添加数据库用户事件类”中 ,定义了四个事件子类

  1. Add
  2. Drop 下降
  3. Grant database access 授予数据库访问权限
  4. Revoke database access 撤销数据库访问

(MS documentation found here ) (可在此处找到MS文档)

When I set up SQL Server Profiler to trace the Audit Add DB User Event Class, it only seems to capture events with a subclass of 3 or 4, and not 1 or 2. 当我将SQL Server Profiler设置为跟踪“审核添加数据库用户事件类”时,似乎只能捕获子类为3或4,而不是1或2的事件。

To test the trace, I am using the following SQL statements: 为了测试跟踪,我使用以下SQL语句: 

CREATE USER testuser FOR LOGIN testlogin;
DROP USER testuser;

When I run these statements in SQL Server Management Studio, SQL Server Profiler displays two Audit Add DB User Events, one with EventSubClass 3 (Grant database access) and one with EventSubClass 4 (Revoke database access), but does not display anything for EventSubClass 1 (Add) or EventSubClass 2 (Drop). 当我在SQL Server Management Studio中运行这些语句时,SQL Server Profiler显示两个审核添加数据库用户事件,一个具有EventSubClass 3(授予数据库访问权限),一个具有EventSubClass 4(撤消数据库访问权限),但不显示EventSubClass 1的任何内容(添加)或EventSubClass 2(拖放)。

From what I can tell, all three even subclasses should be covered by the SQL statements used above. 据我所知,所有三个甚至子类都应该被上面使用的SQL语句覆盖。 Is there something additional that needs to be configured in order to capture these event subclasses? 为了捕获这些事件子类,是否还需要配置其他东西?

1 个解决方案

解决方案1
 0 已采纳  2018-11-13 20:15:07

The old trace functionality has been deprecated since 2012. I did some testing and depending on what commands I executed I could get 2. But I never managed to get 1. If you look at the documentation for this event class, you'll see that it is documented to provide information when you use the ancient procedures sp_adduser, sp_dropuser, etc. But even when doing that it seems a bit flaky. 自2012年以来,已弃用了旧的跟踪功能。我做了一些测试,并且根据执行的命令我可以得到2。但是我从未设法得到1。如果您查看此事件类的文档,您将看到据记录,当您使用古老的过程sp_adduser,sp_dropuser等时,它可以提供信息。但是即使这样做,它似乎也有些不稳定。

Sure, one could report this to MS, but they will (most likely) just say that you should use a technology which isn't deprecated. 当然,可以将其报告给MS,但他们(很可能)只是说您应该使用不被弃用的技​​术。 Ie, Extended Events. 即,扩展事件。 I very much doubt that MS will pour any resources into fixing this, even if that would consider this to be a bug in the first place. 我非常怀疑MS是否会投入任何资源来解决此问题,即使它一开始就将其视为错误。 So, my recommendation will be the same: Look into Extended Events instead. 因此,我的建议是相同的:改为查看扩展事件。

Here's a blog I wrote about "getting into" XE: http://sqlblog.karaszi.com/tips-for-getting-started-with-extended-events/ 这是我写的有关“进入” XE的博客: http : //sqlblog.karaszi.com/tips-for-getting-started-with-extended-events/

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何跟踪SQL Server失败审核事件? - How do I trace SQL Server Failure Audit events? SQL Server 用户权限审计 - SQL server user permissions audit SQL Server数据库上使用的审核过程 - Audit Procedures used on SQL Server DB 从SQL Server审核日志或SQL审核跟踪中提取应用程序名称的方法? - Method for Extracting application name from SQL Server Audit log or SQL Audit trace? 是否可以在SQL Server(或任何其他数据库)的所有表上使用“审核”列 - Is it ok to use Audit columns on all the tables in SQL Server(or any other DB) 在 SQL Server 重放跟踪结果中捕获读取、写入和 CPU - Capturing reads, writes, and CPU in SQL Server replay Trace results 使用SQL Server扩展事件来审核表访问 - Using SQL Server Extended Events to audit table access 需要在 SQL Server 中为这些列查询数据库审计信息 - Need Db audit info query in SQL Server for these columns 如何在SQL Server的服务器审核上添加多个筛选器? - How to add multiple filters on Server Audit of SQL Server? 审核跟踪-SQL Server - Audit trail - SQL Server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM