© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio

SQL Audit sent a event log of windows

Latest Comments

March 28, 2025 | 3:42 PM

SQL Audit Configuration for Windows Event Logging

Hello! I have configured SQL auditing to write to Windows security events. Here’s how you can set it up:

  1. Local Policy Configuration:
  2. Navigate to Local Policies -> User Rights Assignment.

  3. Find the property “Generate security audits” and add the service user NT SERVICE\MSSQLSERVER.

  4. Registry Permissions:

  5. Grant NT SERVICE\MSSQLSERVER full control permissions on the following registry keys:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

  6. Command Prompt Configuration:

  7. Open Command Prompt as an administrator and run the following command:
    auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

  8. Restart the Server:

  9. After making the changes, restart your server.

  10. For Windows Server 2016 and Later:

  11. Update the EventSourceFlags registry key from 0 to 1 at:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQLSERVER

After completing these steps, you can configure the events to be audited within SQL, either at the instance or database level. This setup allows you to capture all specified events, including logon/logout activities as well as permission changes, user role modifications, etc. Note: Be cautious when enabling SQL auditing, as generating logs over time can lead to numerous events, especially if applications are actively running. It’s advisable to enable it temporarily and then reduce the logging duration to manage the volume of events.

Tags:

No tags

Categories:

Audit
Previous
Next

One response

  1. It looks like you’ve shared a detailed process for configuring SQL Server auditing to log events in Windows Security Events. This is a great way to enhance security and track user activities within the SQL Server environment. Here are some points to consider or clarify regarding your setup:

    1. User Rights Assignment: Adding the relevant service user (NT SERVICE\MSSQLSERVER) to the User Rights Assignment is crucial for enabling the SQL Server to generate security audits. Make sure that the user has sufficient privileges to perform the necessary actions.

    2. Registry Permissions: Granting full control permissions to the SQL service account on the specified registry keys is a good step to avoid any permission issues when the SQL Server tries to write Audit logs to the event log.

    3. Audit Policy Configuration: Using auditpol to enable success and failure auditing for application-generated events is essential for comprehensive auditing. Double-check that the command executes successfully without any errors.

    4. Server Restart: Restarting the server after making these changes is a good practice to ensure that all updates are applied and that SQL Server recognizes the new policies.

    5. EventSourceFlags Registry Change: Changing the EventSourceFlags registry value is an important step for Windows Server 2016 and newer versions. This setting can help improve how events are logged and displayed in the Event Viewer.

    6. SQL Auditing Scope: It’s wise to configure SQL Server audits at the instance or database level, depending on your needs. Just keep in mind the potential flood of events and resource usage, especially in production environments where applications are actively running.

    7. Monitoring and Maintenance: Regularly monitor the Audit logs, as the volume of events can grow quickly. It’s important to have a plan for archiving or managing these logs to avoid consuming excessive disk space.

    If others are looking to implement similar auditing, your detailed steps can serve as a great guideline. Thanks for sharing your insights and experience in this area!

Leave a Reply

© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio