© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio

SQL Audit sent a event log of windows

Latest Comments

Accounts Payable Audit
March 17, 2025 | 5:40 PM

SQL Audit Event Logging in Windows

I’ve set up an SQL Audit to log events in Windows Security Events. Here’s a step-by-step guide:

  1. Configure Local Policies: Navigate to Local Policies -> User Rights Assignment. In the properties of Generate Security Audits, add the service user NT SERVICE\MSSQLSERVER.

  2. Registry Permissions: Grant NT SERVICE\MSSQLSERVER full control permissions for the following registry keys:

  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

  5. Enable Audit Policies: Open Command Prompt as an administrator and run:
    auditpol /set /subcategory:"application generated" /success:enable /failure:enable

  6. Restart Your Server: After making these changes, restart your server.

  7. Adjust EventSourceFlags (Windows 2016 & Later): If you are using Windows Server 2016 or later, change the EventSourceFlags registry value from 0 to 1 at:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQLSERVER$

Next, you’ll need to configure which events to audit in SQL, either at the instance or database level. This setup allows you to capture all specified events, not just logon/logoff, but also permission changes and user role modifications.

Important Note: Enable SQL audits for a limited time as they can generate a significant number of events, especially with active applications running. Remember to lower the audit frequency after confirming the configuration.

Tags:

No tags

Categories:

Audit
Previous
Next

One response

  1. It looks like you’ve outlined a detailed process for configuring SQL Server audits to write to the Windows security event log. This setup is really important for maintaining a high level of security and compliance within SQL Server environments.

    Here are a few additional tips and considerations:

    1. Testing Configuration: After configuring the Audit settings, make sure to conduct thorough testing to ensure that the events are being logged as expected. Check both the SQL Server logs and the Windows Event Viewer to confirm that events are recorded accurately.

    2. Review Event Volume: As you mentioned, enabling SQL audits can generate a substantial number of events, especially if you have active applications. It’s a good practice to monitor the volume of events generated and, if necessary, fine-tune the Audit configuration to focus on critical actions only.

    3. Audit Policies: Be mindful of the specific audit policies you enable at the SQL level. You may want to track actions like data modifications, logins, and permission changes, while excluding less critical events.

    4. Documentation: Document your configuration steps and any changes you make along the way. This will be helpful for troubleshooting or for future audits and reviews.

    5. Security Best Practices: Make sure the NT SERVICE\MSSQLSERVER account has the minimum permissions necessary to perform its tasks. This helps reduce the impact of a potential security breach.

    6. Backup and Restore: Regularly back up the server and the registry settings before making changes so you can quickly revert if needed.

    Overall, well done on the setup! This proactive approach to using SQL Server auditing will significantly enhance your security posture.

Leave a Reply

© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio