SQL Server 2012审计报告生成

Question

尝试确定是否可以在没有该服务器上的 CONTROL SERVER 访问权限的情况下读取该服务器输出的审核文件。 MSDN docs建议这是可能的:

Even when the Database Engine is writing to a file, other Windows users can read the audit file if they have permission. The Database Engine does not take an exclusive lock that prevents read operations.

还有:

We recommend that you generate audit reports from a separate instance of SQL Server, such as an instance of SQL Server Express, to which only Audit Administrators or Audit Readers have access. By using a separate instance of the Database Engine for reporting, you can help prevent unauthorized users from obtaining access to the audit record.

简而言之，我可以这样做吗？

• 配置 Prod DB 上的审核以输出到文件共享
• 授予审核读者对文件共享的读取权限
• 使用来自单独数据库的 sys.fn_get_audit_file('fileshare*') 来生成审核报告。

[澄清] q 的关键部分是，您是否可以使用 sys.fn_get_audit_file 从单独的数据库访问该文件，而无需对创建审核信息的数据库具有管理员访问权限。这样我们就可以让具有文件系统访问权限的审核读者与具有数据库管理员访问权限的 DBA 分开。抱歉一开始没有说清楚。

就您的答案而言，此查询是否可以由非原始数据库 DBA 的人员从不相关的 SQL Mgmt Studio/DB 运行？

SELECT 
    event_time, action_id, session_id, object_id, class_type, 
    database_principal_name, database_name, object_name, statement
FROM 
    sys.fn_get_audit_file('\\Temp\Audit\*',NULL,NULL);

Answer 1

确实，这有效。

USE [master]
GO

CREATE SERVER AUDIT [SQL2012-Audit-20121214-Demo]
TO FILE 
(   FILEPATH = N'\\Temp\Audit'
    ,MAXSIZE = 2 MB
    ,MAX_FILES = 32
    ,RESERVE_DISK_SPACE = OFF
) WITH (QUEUE_DELAY = 2000,ON_FAILURE = CONTINUE)
GO

ALTER SERVER AUDIT [SQL2012-Audit-20121214-Demo] WITH (STATE = ON);

USE [Performance]
GO

CREATE DATABASE AUDIT SPECIFICATION [SQL2012-DBAudit-20121214-Demo]
FOR SERVER AUDIT [SQL2012-Audit-20121214-Demo]
ADD (SELECT,INSERT,DELETE,UPDATE,EXECUTE ON DATABASE::[Performance] BY [dbo])
WITH (STATE = ON);
GO

服务器审核和数据库审核到位并激活后，立即创建了第一个审核文件，并且无法删除它，因为 Windows 声明该文件正在使用中。

但是，从文件中进行选择始终有效。以下是审计设置捕获的事件“工作负载”:

SELECT * INTO partition_stats_4 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_3 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_2 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats_1 FROM Performance.sys.dm_db_partition_stats
SELECT * INTO partition_stats   FROM Performance.sys.dm_db_partition_stats

DELETE FROM partition_stats
DELETE FROM partition_stats_1
DELETE FROM partition_stats_2
DELETE FROM partition_stats_3
DELETE FROM partition_stats_4

DROP TABLE partition_stats_4
DROP TABLE partition_stats_3
DROP TABLE partition_stats_2
DROP TABLE partition_stats_1
DROP TABLE partition_stats

结果如下:

SELECT 
    event_time, action_id, session_id, object_id, class_type, 
    database_principal_name, database_name, object_name, statement
FROM 
    sys.fn_get_audit_file('\\Temp\Audit\*',NULL,NULL);

顺便说一句，这与服务器端跟踪文件的模式完全相同。我们一直在运行跟踪，并且文件“可查询”，没有任何问题。

审核愉快!