© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio

SQL Audit sent a event log of windows

Latest Comments

March 25, 2025 | 2:45 PM

SQL Audit Event Log Configuration for Windows

Hello! I have set up SQL auditing to log events in Windows Security. Here’s a step-by-step guide on how to configure it:

  1. Adjust Local Policies: Navigate to Local Policies > User Rights Assignment and add the service user NT SERVICE\MSSQLSERVER to the Generate Security Audits property.

  2. Grant Permissions: Provide NT SERVICE\MSSQLSERVER with full control permissions in the Windows Registry for the following keys:

  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

  5. Set Audit Policy: Open an elevated Command Prompt (Run as Administrator) and execute the following command:
    auditpol /set /subcategory:"application generated" /success:enable /failure:enable

  6. Restart the Server: Reboot the server to apply the changes.

  7. Modify EventSourceFlags (Windows 2016 and Later): If you’re using Windows Server 2016 or later, change the EventSourceFlags registry entry from 0 to 1 at the following location:

  8. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQLSERVER$

Once the configuration is complete, you can set the SQL events to be audited at either the instance or database level. This will log various events, including not just logon and logoff activities, but also permissions changes and user role management.

Note: Be mindful to enable SQL auditing only for a short duration, as it generates a high volume of events, particularly if applications are actively running.

Tags:

No tags

Categories:

Audit
Previous
Next

One response

  1. It looks like you’ve provided a comprehensive guide on configuring SQL Server auditing to write to Windows security events. Here’s a brief summary and some additional tips:

    Summary of Steps for SQL Server Auditing:

    1. User Rights Assignment: Configuring the service account (NT SERVICE\MSSQLSERVER) to generate security audits in the local security policy is crucial for ensuring that SQL Server can write Audit logs.

    2. Registry Permissions: Granting Full Control on the specified registry keys is necessary to allow SQL Server to access the event log and write entries.

    3. Enable Audit Polices: Using auditpol to enable both success and failure audits for application-generated events captures all relevant activity.

    4. Restart the Server: A restart is required to apply these changes effectively.

    5. Adjust EventSourceFlags: Modifying the EventSourceFlags registry value is an important step, especially on Windows Server 2016 and later, to ensure proper logging functionality.

    6. Configuration of SQL Audits: Setting up SQL audits at the instance or database level captures not only login events but also changes in permissions and role modifications.

    Additional Tips:

    • Monitor Log Size: As you noted, enabling extensive auditing can generate a large amount of data. Consider implementing a maintenance plan to manage the size of the security logs effectively.

    • Filter Events: If possible, adjust the filter settings to limit the types of events you don’t need, which can help reduce log clutter.

    • Review Regularly: Make a habit of regularly reviewing your Audit logs for any unusual activity or security issues.

    • Testing: After configuration, run tests to ensure the auditing is capturing the expected events without excessive noise.

    If anyone needs further clarification or a more detailed explanation of a specific step, feel free to ask!

Leave a Reply

© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio