You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sql-database/sql-database-auditing.md
+45-56Lines changed: 45 additions & 56 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ ms.topic: conceptual
8
8
author: DavidTrigano
9
9
ms.author: datrigan
10
10
ms.reviewer: vanto
11
-
ms.date: 08/22/2019
11
+
ms.date: 02/11/2020
12
12
---
13
13
# Get started with SQL database auditing
14
14
@@ -22,9 +22,6 @@ Auditing for Azure [SQL Database](sql-database-technical-overview.md) and [SQL
22
22
> [!NOTE]
23
23
> This topic applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.
@@ -38,11 +35,11 @@ You can use SQL database auditing to:
38
35
>
39
36
> - All storage kinds (v1, v2, blob) are supported.
40
37
> - All storage replication configurations are supported.
38
+
> - Storage behind a virtual network and firewall is supported.
41
39
> -**Premium storage** is currently **not supported**.
42
-
> -**Storage in VNet** is currently **not supported**.
43
-
> -**Storage behind a Firewall** is currently **not supported**.
44
40
> -**Hierarchical namespace** for **Azure Data Lake Storage Gen2 storage account** is currently **not supported**.
45
-
41
+
> - Enabling auditing on a paused **Azure SQL Data Warehouse** is not supported. To enable auditing, resume the Data Warehouse.
42
+
46
43
## <aid="subheading-8"></a>Define server-level vs. database-level auditing policy
47
44
48
45
An auditing policy can be defined for a specific database or as a default server policy:
@@ -60,61 +57,51 @@ An auditing policy can be defined for a specific database or as a default server
60
57
>
61
58
> Otherwise, we recommended that you enable only server-level blob auditing and leave the database-level auditing disabled for all databases.
62
59
63
-
## <aid="subheading-2"></a>Set up auditing for your database
60
+
## <aid="subheading-2"></a>Set up auditing for your server
64
61
65
62
The following section describes the configuration of auditing using the Azure portal.
66
63
64
+
> [!NOTE]
65
+
>You now have multiple options for configuring where audit logs are written. You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs, or to event hub for consumption using event hub. You can configure any combination of these options, and audit logs will be written to each.
66
+
67
67
1. Go to the [Azure portal](https://portal.azure.com).
68
68
2. Navigate to **Auditing** under the Security heading in your SQL database/server pane.
69
-
70
-
<aid="auditing-screenshot"></a>
71
-
![Navigation pane][1]
72
-
73
69
3. If you prefer to set up a server auditing policy, you can select the **View server settings** link on the database auditing page. You can then view or modify the server auditing settings. Server auditing policies apply to all existing and newly created databases on this server.
74
70
75
71
![Navigation pane][2]
76
72
77
-
4. If you prefer to enable auditing on the database level, switch **Auditing** to **ON**.
78
-
79
-
If server auditing is enabled, the database-configured audit will exist side-by-side with the server audit.
73
+
4. If you prefer to enable auditing on the database level, switch **Auditing** to **ON**. If server auditing is enabled, the database-configured audit will exist side-by-side with the server audit.
80
74
81
75
![Navigation pane][3]
82
76
83
-
5.**New** - You now have multiple options for configuring where audit logs will be written. You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs, or to event hub for consumption using event hub. You can configure any combination of these options, and audit logs will be written to each.
84
-
85
-
> [!NOTE]
86
-
>Customer wishing to configure an immutable log store for their server- or database-level audit events should follow the [instructions provided by Azure Storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutability-policies-manage#enabling-allow-protected-append-blobs-writes)
87
-
88
-
> [!WARNING]
89
-
> Enabling auditing to Log Analytics will incur cost based on ingestion rates. Please be aware of the associated cost with using this [option](https://azure.microsoft.com/pricing/details/monitor/), or consider storing the audit logs in an Azure storage account.
### <aid="audit-storage-destination">Audit to storage destination</a>
92
78
93
-
6.To configure writing audit logs to a storage account, select **Storage** and open **Storage details**. Select the Azure storage account where logs will be saved, and then select the retention period. The old logs will be deleted. Then click **OK**.
79
+
To configure writing audit logs to a storage account, select **Storage** and open **Storage details**. Select the Azure storage account where logs will be saved, and then select the retention period. Then click **OK**. Logs older than the retention period are deleted.
94
80
95
81
> [!IMPORTANT]
96
82
> - The default value for retention period is 0 (unlimited retention). You can change this value by moving the **Retention (Days)** slider in **Storage settings** when configuring the storage account for auditing.
97
83
> - If you change retention period from 0 (unlimited retention) to any other value, please note that retention will only apply to logs written after retention value was changed (logs written during the period when retention was set to unlimited are preserved, even after retention is enabled)
7.To configure writing audit logs to a Log Analytics workspace, select **Log Analytics (Preview)** and open **Log Analytics details**. Select or create the Log Analytics workspace where logs will be written and then click **OK**.
87
+
To configure a storage account under a virtual network or firewall you will need an [Active Directory admin](/sql-database-aad-authentication-configure.md?tabs=azure-powershell#provision-an-azure-active-directory-administrator-for-your-azure-sql-database-server) on the server, enable **Allow trusted Microsoft services to access this storage account** on the storage account. In addition, you need to have the 'Microsoft.Authorization/roleAssignments/write' permission on the selected storage account.
We recommend you to be [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) in order to grant to the managed identity the role 'storage blob data contributor'. To learn more about permissions and role-based access control, see [What is role-based access control (RBAC) for Azure resources?](../role-based-access-control/overview.md) and [Add or remove role assignments using Azure RBAC and the Azure portal](../role-based-access-control/role-assignments-portal.md)
104
90
105
-
8. To configure writing audit logs to an event hub, select **Event Hub (Preview)** and open **Event Hub details**. Select the event hub where logs will be written and then click **OK**. Be sure that the event hub is in the same region as your database and server.
91
+
### <aid="audit-log-analytics-destination">Audit to Log Analytics destination</a>
92
+
93
+
To configure writing audit logs to a Log Analytics workspace, select **Log Analytics (Preview)** and open **Log Analytics details**. Select or create the Log Analytics workspace where logs will be written and then click **OK**.
> Enabling auditing to Log Analytics will incur cost based on ingestion rates. Please be aware of the associated cost with using this [option](https://azure.microsoft.com/pricing/details/monitor/), or consider storing the audit logs in an Azure storage account.
108
99
109
-
9. Click **Save**.
110
-
10. If you want to customize the audited events, you can do this via [PowerShell cmdlets](#subheading-7) or the [REST API](#subheading-9).
111
-
11. After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. For more information, see [Getting started with threat detection](sql-database-threat-detection-get-started.md).
100
+
### <aid="audit-event-hub-destination">Audit to Event Hub destination</a>
112
101
113
-
> [!IMPORTANT]
114
-
> Enabling auditing on an paused Azure SQL Data Warehouse is not possible. To enable it, un-pause the Data Warehouse.
102
+
To configure writing audit logs to an event hub, select **Event Hub (Preview)** and open **Event Hub details**. Select the event hub where logs will be written and then click **OK**. Be sure that the event hub is in the same region as your database and server.
115
103
116
-
> [!WARNING]
117
-
> Enabling auditing on a server that has an Azure SQL Data Warehouse on it **will result in the Data Warehouse being resumed and re-paused again** which may incur in billing charges.
## <aid="subheading-3"></a>Analyze audit logs and reports
120
107
@@ -166,7 +153,7 @@ If you chose to write audit logs to an Azure storage account, there are several
166
153
167
154
![Navigation pane][8]
168
155
169
-
- Use the system function **sys.fn_get_audit_file** (T-SQL) to return the audit log data in tabular format. For more information on using this function, see [sys.fn_get_audit_file](https://docs.microsoft.com/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql).
156
+
- Use the system function **sys.fn_get_audit_file** (T-SQL) to return the audit log data in tabular format. For more information on using this function, see [sys.fn_get_audit_file](/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql).
170
157
171
158
- Use **Merge Audit Files** in SQL Server Management Studio (starting with SSMS 17):
172
159
1. From the SSMS menu, select **File** > **Open** > **Merge Audit Files**.
@@ -221,14 +208,16 @@ In production, you are likely to refresh your storage keys periodically. When wr
221
208
222
209
## Additional Information
223
210
211
+
- If you want to customize the audited events, you can do this via [PowerShell cmdlets](#subheading-7) or the [REST API](#subheading-9).
212
+
213
+
- After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. For more information, see [Getting started with threat detection](sql-database-threat-detection-get-started.md).
224
214
- For details about the log format, hierarchy of the storage folder and naming conventions, see the [Blob Audit Log Format Reference](https://go.microsoft.com/fwlink/?linkid=829599).
225
215
226
216
> [!IMPORTANT]
227
217
> Azure SQL Database Audit stores 4000 characters of data for character fields in an audit record. When the **statement** or the **data_sensitivity_information** values returned from an auditable action contain more than 4000 characters, any data beyond the first 4000 characters will be **truncated and not audited**.
228
218
229
219
- Audit logs are written to **Append Blobs** in an Azure Blob storage on your Azure subscription:
230
220
-**Premium Storage** is currently **not supported** by Append Blobs.
231
-
-**Storage in VNet** is currently **not supported**.
232
221
233
222
- The default auditing policy includes all actions and the following set of action groups, which will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:
234
223
@@ -242,7 +231,7 @@ In production, you are likely to refresh your storage keys periodically. When wr
242
231
243
232
- Azure SQL Database auditing is optimized for availability & performance. During very high activity Azure SQL Database allows operations to proceed and may not record some audited events.
244
233
245
-
- For configuring Immutable Auditing on storage account, see [Allow protected append blobs writes](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutable-storage#allow-protected-append-blobs-writes). Please note that the container name for Auditing is **sqldbauditlogs**.
234
+
- For configuring Immutable Auditing on storage account, see [Allow protected append blobs writes](../storage/blobs/storage-blob-immutable-storage.md#allow-protected-append-blobs-writes). Please note that the container name for Auditing is **sqldbauditlogs**.
246
235
247
236
> [!IMPORTANT]
248
237
> The allow protected append blobs writes setting under time-based retention is currently available and visible only in the following regions:
@@ -255,34 +244,34 @@ In production, you are likely to refresh your storage keys periodically. When wr
255
244
256
245
**PowerShell cmdlets (including WHERE clause support for additional filtering)**:
257
246
258
-
-[Create or Update Database Auditing Policy (Set-AzSqlDatabaseAudit)](https://docs.microsoft.com/powershell/module/az.sql/set-azsqldatabaseaudit)
259
-
-[Create or Update Server Auditing Policy (Set-AzSqlServerAudit)](https://docs.microsoft.com/powershell/module/az.sql/set-azsqlserveraudit)
-[Remove Server Auditing Policy (Remove-AzSqlServerAudit)](/powershell/module/az.sql/remove-azsqlserveraudit)
264
253
265
254
For a script example, see [Configure auditing and threat detection using PowerShell](scripts/sql-database-auditing-and-threat-detection-powershell.md).
266
255
267
256
## <aid="subheading-8"></a>Manage Azure SQL Server and Database auditing using REST API
268
257
269
258
**REST API**:
270
259
271
-
-[Create or Update Database Auditing Policy](https://docs.microsoft.com/rest/api/sql/database%20auditing%20settings/createorupdate)
272
-
-[Create or Update Server Auditing Policy](https://docs.microsoft.com/rest/api/sql/server%20auditing%20settings/createorupdate)
-[Get Server *Extended* Auditing Policy](/rest/api/sql/server%20auditing%20settings/get)
282
271
283
272
## <aid="subheading-9"></a>Manage Azure SQL Server and Database auditing using Azure Resource Manager templates
284
273
285
-
You can manage Azure SQL database auditing using [Azure Resource Manager](https://docs.microsoft.com/azure/azure-resource-manager/resource-group-overview) templates, as shown in these examples:
274
+
You can manage Azure SQL database auditing using [Azure Resource Manager](../azure-resource-manager/management/overview.md) templates, as shown in these examples:
286
275
287
276
-[Deploy an Azure SQL Server with Auditing enabled to write audit logs to Azure Blob storage account](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-auditing-server-policy-to-blob-storage)
288
277
-[Deploy an Azure SQL Server with Auditing enabled to write audit logs to Log Analytics](https://github.com/Azure/azure-quickstart-templates/tree/master/201-sql-auditing-server-policy-to-oms)
@@ -311,4 +300,4 @@ You can manage Azure SQL database auditing using [Azure Resource Manager](https:
0 commit comments