Roxanne25
asked on
SQL Logon/Logoff Auditing/Trigger?
Hello, I need some help coming up with the best method for checking user activity on our SQL Server. I know I can enable server audits and such but I need a method that gives me all the information I want and does not hurt performance.
I don't need to audit select statements but I just need to know, what account logged in, what database they logged into, when they logged in and possibly when they logged out. Other stuff like the hostname, what program they were using is helpful but not required. My main target is trying to get the database they accessed.
Do any of you have a good procedure/trigger for this or is there a good way to configure the audit profiles? I did some research but was a bit fuzzy with the built in SQL stuff.
I don't need to audit select statements but I just need to know, what account logged in, what database they logged into, when they logged in and possibly when they logged out. Other stuff like the hostname, what program they were using is helpful but not required. My main target is trying to get the database they accessed.
Do any of you have a good procedure/trigger for this or is there a good way to configure the audit profiles? I did some research but was a bit fuzzy with the built in SQL stuff.
You can use a standard "FOR LOGON" trigger to do all of that except capturing logging out. You would probably need to use extended events to capture the logout activity.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's the shell for creating a logon trigger. A logon trigger is synchronous, i.e., the trigger processing occurs before the logon completes. Still, a properly-written trigger won't noticeably slow things down unless there are extremely large numbers of logons.
Event notifications are async and thus would not slow down logon.
Here's the basic, setup code for a logon trigger:
CREATE TRIGGER [Server_Trigger_Logon]
ON ALL SERVER
--WITH EXECUTE AS 'sa' --don't want to do this as we will lose original caller's info
AFTER LOGON
AS
INSERT INTO dbo.login_history ( login, login_datetime2, ... )
SELECT ORIGINAL_LOGIN(), SYSDATETIME, ...
--WHERE ORIGINAL_LOGIN() NOT IN (...list of logins to exclude from logging...)
Event notifications are async and thus would not slow down logon.
Here's the basic, setup code for a logon trigger:
CREATE TRIGGER [Server_Trigger_Logon]
ON ALL SERVER
--WITH EXECUTE AS 'sa' --don't want to do this as we will lose original caller's info
AFTER LOGON
AS
INSERT INTO dbo.login_history ( login, login_datetime2, ... )
SELECT ORIGINAL_LOGIN(), SYSDATETIME, ...
--WHERE ORIGINAL_LOGIN() NOT IN (...list of logins to exclude from logging...)
ASKER
@Phillip:
I took your advise with the database audit specification... but it doesn't work. I'm trying to be more granular with it and do "select" as the audit type and then specify specific users and schemas I want audited...but when I do this nothing gets inserted into the log. If I do the Schema_Object_Access_Group then it does work and captures stuff...but of course then it will log every little darned thing from every user...and I don't want the log getting clogged up with stuff I don't need.
Do you know why the "select" type won't work?
I took your advise with the database audit specification... but it doesn't work. I'm trying to be more granular with it and do "select" as the audit type and then specify specific users and schemas I want audited...but when I do this nothing gets inserted into the log. If I do the Schema_Object_Access_Group
Do you know why the "select" type won't work?
ASKER
Nevermind, I figured it out... it didn't seem to like me putting multiple principals on the same line. Once I separated each principal I wanted to audit into separate lines, it worked fine. Thanks for the help!