none
SQL Server Audit requirements RRS feed

  • Question

  • Hello!

    This page says:

    There are two key requirements for writing SQL Server server audits to the Windows Security log:

    • The audit object access setting must be configured to capture the events. The audit policy tool (auditpol.exe) exposes a variety of sub-policies settings in the audit object access category. To allow SQL Server to audit object access, configure the application generated setting.
    • The account that the SQL Server service is running under must have the generate security audits permission to write to the Windows Security log. By default, the LOCAL SERVICE and the NETWORK SERVICE accounts have this permission. This step is not required if SQL Server is running under one of those accounts.
    • Provide full permission for the SQL Server service account to the registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security.

    It's not clear to me if all of these three (not two!) key requirements  must be met to allow SQL Server to write to the Security log or just any of them?

    Thank you in advance,
    Michael

    Thursday, May 23, 2019 10:05 AM

Answers

  • I agree, it is confusing. All three are needed, but the second item mentions how default accounts already have the permission. So that might be why the text says "two". 

    You can submit a change for this page, Microsoft has made their documentation open source. Sign in, and click 'Edit' at the top. Or, just submit feedback that the page is confusing as written.

    HTH

    Thursday, May 23, 2019 2:46 PM

All replies

  • I agree, it is confusing. All three are needed, but the second item mentions how default accounts already have the permission. So that might be why the text says "two". 

    You can submit a change for this page, Microsoft has made their documentation open source. Sign in, and click 'Edit' at the top. Or, just submit feedback that the page is confusing as written.

    HTH

    Thursday, May 23, 2019 2:46 PM
  • Hi SQLRockstar,

    Thank you for the help!

    "the second item mentions how default accounts already have the permission" - ??? The main thought here is this: "The account that the SQL Server service is running under must have the generate security audits permission to write to the Windows Security log." so there're obviously 3 key points, not 2...

    Regards,
    Michael


    • Edited by MF47 Friday, May 24, 2019 8:22 AM
    Friday, May 24, 2019 8:22 AM