Read Azure Audit Logs from Local File System

Question

I have downloaded the Azure Audit Logs in my Local Drive.

I am trying to read them from my local machine.

I am using below query

select * FROM sys.fn_get_audit_file('C:\Ran\Audit\Chevron\2020-04-10\01_48_07_838_426.xel',DEFAULT,DEFAULT)

Got below error An error occurred in reading from the audit file or file-pattern: 'C:\Ran\Audit\Chevron\2020-04-10\01_48_07_838_426.xel'. The SQL service account may not have Read permission on the files, or the pattern may be returning one or more corrupt files.

I have given full rights to folder: Chevron[On where the Audit file are placed]

Answer 1

I download my Azure SQL database audit file from blob storage and copy it to the Local SQL Server Audit folder.

Then login my on-premise SQL Server with admin account "sa", run the query and evertthing works well.

For example:

Read the audit file 01_13_36_510_0.xel in blog storage in Azure SQL database:

Then copy it to local SQL Server audit folder and run the query again:

If you want read the audit file, you must have the permission :

• SQL Server: Requires the CONTROL SERVER permission.

• Azure SQL DB : Requires the CONTROL DATABASE permission.

  1. Server admins can access audit logs of all databases on the server.

  2. Non server admins can only access audit logs from the current database.

  3. Blobs that do not meet the above criteria will be skipped (a list of skipped blobs will be displayed in the query output message), and the function will return logs only from blobs for which access is allowed.

Hope this helps.