Security Audit Data Columns

Administering SQL Server

previous page next page
Administering SQL Server

Security Audit Data Columns

The following table lists the data columns for each event class in the Security Audit event category.

Event class Data column Description
Audit Add DB User Event Event Class Type of event recorded = 109.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = sp_adduser
2 = sp_dropuser
3 = grantdbaccess
4 = revokedbaccess
  Database Name Name of the database to which the user is being added.
  DBUserName The issuer's user name in the database.
  Target Login SID SID of the targeted Microsoft® Windows® login.
  Target Login Name Name of the targeted Windows login.
  Target User Name Name of the database user being added to the database.
  Role Name Name of a role to which the new database user is being added.
Audit Add Login to Server Role Event Event Class Type of event recorded = 108.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Add
2 = Drop
  Target Login SID Security identification number (SID) of the targeted Windows login.
  Target Login Name Name of the targeted Windows login.
  Role Name Name of the role to which the login is being added.
Audit Add Member to DB Role Event Event Class Type of event recorded = 110.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Add
2 = Drop
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Target Login SID The SID of the targeted login.
  Target Login Name The name of the login that is having role membership modified.
  Target User Name Name of the user that is having role membership modified.
Audit Add Role Event Event Class Type of event recorded = 111.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Add
2 = Drop
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Role Name Name of the role being created in the database.
Audit Addlogin Event Event Class Type of event being recorded = 104.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Add
2 = Drop
  Target Login SID Security identification number (SID) assigned to the login being added.
  Target Login Name Name of the login being added.
Audit App Role Change Password Event Event Class Type of event recorded = 112.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Value is:

Always = 1
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Role Name Database application role name whose password is being changed.
Audit Backup/Restore Event Event Class Type of event recorded = 115.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Backup
2 = Restore
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Text Data The SQL text of the backup/restore statement.
Audit Change Audit Event Event Class Type of event recorded = 117.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = New audit started
2 = Audit stopped
Audit DBCC Event Event Class Type of event recorded = 116.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Value is:

Always = 1
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Text Data The SQL text of the DBCC command.
Audit Login Event Event Class Type of event being recorded = 14.
  Text Data A delimited list of all set options.
  Binary Data Session level settings, including ANSI nulls, ANSI padding, cursor close on commit, null concatenation, and quoted identifiers.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
Audit Login Change Password Event Event Class Type of event recorded = 107.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = User changed his or her own password.
2 = User changed the password of another user.
  Target Login SID Security identification number (SID) of the targeted Windows login.
  Target Login Name Name of the targeted Windows login.
Audit Login Change Property Event Event Class Type of event being recorded = 106.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Default database
2 = Default language
  Target Login SID Security identification number (SID) of the targeted Windows login.
  Target Login Name Name of the targeted Windows login.
Audit Login Failed Event Event Class Type of event being recorded = 20
  Success The success or failure of the audit indicator. Value will always be:

0 = Failure
Audit Login GDR Event Event Class Type of event being recorded = 105.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Grant
2 = Revoke
3 = Deny
  Target Login SID Security identification number (SID) of the targeted Windows login.
  Target Login Name Name of the targeted Windows login.
Audit Logout Event Event Class Type of event being recorded = 15.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  End Time The end time of the log out.
  Duration The approximate amount of time since the user logged in.
  Reads The amount of logical read I/Os issued by this user during the connection.
  Writes The amount of logical write I/Os issued by this user during the connection.
  CPU The amount of CPU used by this user during the connection.
Audit Object Derived Permission Event Event Class Type of event being recorded = 118.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Create object
2 = Alter object
3 = Drop object
  Database Name The name of the database in which the object is being created, altered, or dropped.
  DBUserName The issuer's user name in the database.
  Object Type Type of object being created, altered, or dropped. Values are:

1 = Index
2 = Database
3 = User object
4 = CHECK constraint
5 = Default or DEFAULT constraint
6 = FOREIGN KEY constraint
7 = PRIMARY KEY constraint
8 = Stored procedure
9 = User-defined function (UDF)
10 = Rule
11 = Replication filter stored procedure
12 = System table
13 = Trigger
14 = Inline function
15 = Table valued UDF
16 = UNIQUE constraint
17 = User table
18 = View
19 = Extended stored procedure
20 = Ad-hoc query
21 = Prepared query
22 = Statistics
  Object Name The name of the object that is being created, altered, or dropped.
  Owner Name The database username of the object owner of the object being created, altered, or dropped.
  Text Data The SQL text of the statement.
Audit Object GDR Event Event Class Type of event being recorded = 103.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = Grant
2 = Revoke
3 = Deny
  Database Name Name of the database that the GRANT/DENY/REVOKE of the object permission is run in.
  DBUserName The issuer's user name in the database.
  Owner Name Name of the user who owns the object against which the GRANT/DENY/REVOKE statement is being run.
  Object Name Name of the object to which the permissions are being applied.
  Permissions Type of statement issued. Values are:

1 = SELECT ALL
2 = UPDATE ALL
4 = REFERENCES ALL
8 = INSERT
16 = DELETE
32 = EXECUTE (procedures only)
  Column Permissions Indicates whether a column permission was set. Values are:

0 = No
1 = Yes
  Text Data The SQL text of the GRANT/REVOKE/DENY statement.
Audit Object Permission Event Event Class Type of event recorded = 114.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Value is:

Always = 1
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Owner Name Owner name of the object for which the permissions are being checked.
  Object Name Name of the object whose permissions are being checked.
  Permissions Type of statement issued. Values are:

1 = SELECT ALL
2 = UPDATE ALL
4 = REFERENCES ALL
8 = INSERT
16 = DELETE
32 = EXECUTE (procedures only)
  Column Permissions Indicates whether a column permission was used. Parse the statement text to determine which permissions were applied to which columns.
  Text Data Text value dependent on the event class captured.
Audit Server Starts and Stops Event Event Class Type of event recorded = 118.
  Event Sub Class Class of event within the event. Values are:

1 = Instance Shutdown
2 = Instance Started
3 = Instance Pause
4 = Instance Continued
  Login SID Security identification number (SID) of the login running the GRANT/DENY/REVOKE statement for the Windows login.
  Login Name Name of the login running GRANT/DENY/REVOKE statement for the Windows login.
Audit Statement GDR Event Event Class Type of event being recorded = 102.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Values are:

1 = GRANT
2 = REVOKE
3 = DENY
  Database Name Name of the database to which the GRANT/DENY/REVOKE statement permission is being applied.
  DBUserName The issuer's user name in the database.
  Permissions Type of statement issued. Values are:

1 = CREATE DATABASE (master database only)
2 = CREATE TABLE
4 = CREATE PROCEDURE
8 = CREATE VIEW
16 = CREATE RULE
32 = CREATE DEFAULT
64 = BACKUP DATABASE
128 = BACKUP LOG
512 = CREATE FUNCTION
  Text Data The SQL text of the GRANT/DENY/REVOKE statement.
Audit Statement Permission Event Event Class Type of event recorded = 113.
  Success The success or failure of the audit indicator. Values are:

0 = Failure
1 = Success
  Event Sub Class Class of event within the event. Value is:

Always = 1
  Database Name Name of the database in which the command is being run.
  DBUserName The issuer's user name in the database.
  Permissions Type of statement issued. Values are:

1 = CREATE DATABASE (master database only)
2 = CREATE TABLE
4 = CREATE PROCEDURE
8 = CREATE VIEW
16 = CREATE RULE
32 = CREATE DEFAULT
64 = BACKUP DATABASE
128 = BACKUP LOG
512 = CREATE FUNCTION
  Text Data Text value dependent on the event class captured.

See Also

Security Audit Event Category

Security Audit Event Classes

previous page start next page