© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio

SQL Audit sent a event log of windows

Latest Comments

March 12, 2025 | 10:10 PM

Configuring SQL Audit for Windows Event Logging

I have successfully configured SQL auditing to log events in Windows Security. Here are the steps to set it up:

  1. Adjust Local Policies: Navigate to Local Policies -> User Rights Assignment in the Local Policy settings. Add the service account NT SERVICE\MSSQLSERVER to the “Generate security audits” property.

  2. Modify Registry Permissions: Provide NT SERVICE\MSSQLSERVER with full control permissions on the following registry keys:

  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

  5. Change Audit Policy via Command Prompt: Open Command Prompt as an administrator and run the following command:
    auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

  6. Restart the Server: After making these changes, restart the server to ensure they take effect.

  7. Update EventSourceFlags in Registry (for Windows OS 2016 and later): Change the EventSourceFlags registry value from 0 to 1. This can be found at:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MSSQLSERVER

Once the SQL events are configured, you can specify what to Audit at either the instance or database level. This configuration captures a wide range of events, including logons, logoffs, permission changes, and user role modifications.

Note: It’s advisable to enable SQL auditing for a limited time or temporarily lower the auditing level, as it can generate numerous events if applications are active.

Tags:

No tags

Categories:

Audit
Previous
Next

One response

  1. It looks like you’ve provided a detailed step-by-step guide on how to configure SQL Server auditing to capture events in Windows Security logs. This is a great resource for ensuring that SQL auditing captures a comprehensive set of events, not just login and logout actions.

    Here’s a summary of the process:

    1. User Rights Assignment: Grant the necessary permissions to the SQL Server service account to generate security audits.

    2. Registry Permissions: Ensure that the NT SERVICE\MSSQLSERVER account has full control over specific registry keys that are critical for logging events.

    3. Enable Audit Policies: Use the auditpol command to enable auditing for application-generated events.

    4. Server Restart: Restart the server to apply the changes made to ensure proper functionality.

    5. Modify EventSourceFlags: For Windows 2016 and later, modifying the EventSourceFlags can help in capturing and logging relevant events for auditing.

    6. SQL Audits Configuration: Finally, configure the actual auditing settings within SQL Server to capture a broad range of activities like permissions changes and user role management, and keep in mind that extensive logging can lead to large amounts of data, so it’s advisable to monitor the setup and adjust as needed.

    This approach not only enhances security but also supports compliance efforts by retaining an accurate record of database activity. Just be sure to monitor performance and storage, as extensive auditing can generate a large volume of logs. Thanks for sharing this valuable information!

Leave a Reply

© 2025 accountspayableaudit.co.uk. Created for free using WordPress and Kubio