SQL Server 2012审计报告生成

试图确定一台服务器输出的审计文件是否可以在该服务器上没有CONTROL SERVER访问权的情况下读取.
MSDN docs表明这是可能的:

Even when the Database Engine is writing to a file, other Windows
users can read the audit file if they have permission. The Database
Engine does not take an exclusive lock that prevents read operations.

并且:

We recommend that you generate audit reports from a separate instance
of SQL Server, such as an instance of SQL Server Express, to which
only Audit Administrators or Audit Readers have access. By using a
separate instance of the Database Engine for reporting, you can help
prevent unauthorized users from obtaining access to the audit record.

总之,我可以这样做吗?

>在Prod DB上配置Audit以输出到fileshare
>为审计读者提供对文件共享的读取权限
>使用来自单独数据库的sys.fn_get_audit_file(‘fileshare *’)来生成审计报告.

[澄清]
q的关键部分是,您是否可以使用来自单独数据库的sys.fn_get_audit_file访问该文件,而无需在创建审计信息的数据库上拥有管理员访问权限.这样我们就可以让具有DB管理员访问权限的DBA独立于文件系统访问的审计读者.对不起,最初没有说清楚.

就您的答案而言,此查询是否可以从不相关的SQL Mgmt Studio / DB运行,由不是原DB上的DBA的人运行?

SELECT 
    event_time, action_id, session_id, object_id, class_type, 
    database_principal_name, database_name, object_name, statement
FROM 
    sys.fn_get_audit_file('\\Temp\Audit\*',NULL,NULL);

最佳答案 确实,这很有效.

USE [master]
GO

CREATE SERVER AUDIT [SQL2012-Audit-20121214-Demo]
TO FILE 
(   FILEPATH = N'\\Temp\Audit'
    ,MAXSIZE = 2 MB
    ,MAX_FILES = 32
    ,RESERVE_DISK_SPACE = OFF
) WITH (QUEUE_DELAY = 2000,ON_FAILURE = CONTINUE)
GO

ALTER SERVER AUDIT [SQL2012-Audit-20121214-Demo] WITH (STATE = ON);

USE [Performance]
GO

CREATE DATABASE AUDIT SPECIFICATION [SQL2012-DBAudit-20121214-Demo]
FOR SERVER AUDIT [SQL2012-Audit-20121214-Demo]
ADD (SELECT,INSERT,DELETE,UPDATE,EXECUTE ON DATABASE::[Performance] BY [dbo])
WITH (STATE = ON);
GO

在服务器审计和数据库审计到位并激活后,立即创建第一个审计文件,并且无法删除它,因为Windows声明该文件正在使用中.

但是,从文件中选择始终有效.这是“工作量”,其活动据称是由审计设置捕获的:

SELECT * INTO partition_stats_4 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_3 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_2 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_1 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats   FROM Performance.sys.dm_db_partition_stats

DELETE FROM partition_stats
DELETE FROM partition_stats_1
DELETE FROM partition_stats_2
DELETE FROM partition_stats_3
DELETE FROM partition_stats_4

DROP TABLE partition_stats_4
DROP TABLE partition_stats_3
DROP TABLE partition_stats_2
DROP TABLE partition_stats_1
DROP TABLE partition_stats

这是结果:

SELECT 
    event_time, action_id, session_id, object_id, class_type, 
    database_principal_name, database_name, object_name, statement
FROM 
    sys.fn_get_audit_file('\\Temp\Audit\*',NULL,NULL);

 

顺便说一句,这与服务器端跟踪文件完全相同.我们一直在运行跟踪,文件是“可查询的”,没有任何问题.

快乐的审核!

点赞