MS SQL Admin : Sarbanes-Oxley, Audithttp://www.sqlprof.com/blogs/sqlserver/archive/tags/Sarbanes-Oxley/Audit/default.aspxTags: Sarbanes-Oxley, AuditenCommunityServer 2007.1 (Build: 20917.1142)Auditing Logins in SQL Server 2005http://www.sqlprof.com/blogs/sqlserver/archive/2008/03/29/auditing-logins-in-sql-server-2005.aspxSat, 29 Mar 2008 03:14:52 GMTf1c11735-f88c-466b-aadf-9e672bf81be1:17Eric Vaillancourt2http://www.sqlprof.com/blogs/sqlserver/rsscomments.aspx?PostID=17http://www.sqlprof.com/blogs/sqlserver/commentapi.aspx?PostID=17http://www.sqlprof.com/blogs/sqlserver/archive/2008/03/29/auditing-logins-in-sql-server-2005.aspx#comments<p>When I teach my SQL administration classes, I&#39;m often ask if SQL Server provides a mechanism to log user logins.&nbsp; Before SQL Server 2005 SP2, this task was possible but not reliable.&nbsp; In SQL Server 2005 this task is easy to implement using DDL triggers (Data Definition Language). <p>One reason that people ask me this question, is because they need to comply with Sarbanes-Oxley.&nbsp; I will be writing a series of articles on auditing for SOX in the next weeks. <p>As a consultant, I am frequently invited to attend meetings with Sarbanes-Oxley auditors to discuss the security and integrity of corporate data.&nbsp; they want to know who has access to the data, how access is granted, and how is the company monitoring to prevent someone from sneaking in, logging on, and doing something they shouldn&#39;t be doing. <p>In SQL 2005, a trigger can be created in order to perform any action upon a DDL statement. The scope can be database level or Server level. DDL triggers allow us to track critical changes to our database environment that may be intentional, by mistake, or malicious. <p>When you design DDL triggers, it&#39;s important to determine what events you want to audit, and to determine in which scope each event occurs. In this article, we will write a trigger to capture logins, which are server level events. <a href="http://msdn2.microsoft.com/en-ca/library/ms189871.aspx" target="_blank">You can get a list of all events that are valid for use in DDL triggers.</a> <p>The first step is to create a database and a table that we will use to store the logs. <p>Execute the following code: <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"></span>&nbsp;</p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">use</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">master</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">&nbsp;</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">create</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">database</span> Admin_Log</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">&nbsp;</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">use</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> Admin_Log</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">&nbsp;</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">create</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">schema</span> [admin]</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">&nbsp;</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">CREATE</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">TABLE</span> admin<span style="color:gray;">.</span>logs <span style="color:gray;">(</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">LogID <span style="color:blue;">int</span> <span style="color:blue;">IDENTITY</span><span style="color:gray;">(</span>1<span style="color:gray;">,</span>1<span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">EventTime <span style="color:blue;">DATETIME</span><span style="color:gray;">,</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">EventType <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">LoginName <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">HostName <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">AppName <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>255<span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">Event_Data <span style="color:blue;">XML</span><span style="color:gray;">)</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"></span></p> <p>Note that the table makes use of the XML data type, which is new in SQL Server 2005. As you&#39;d assume by its name, its job is to hold XML data. <p>Once your table is in place to keep track of the events, you&#39;re ready to create the trigger necessary to watch for these event. <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"></span>&nbsp;</p> <p class="MsoNormal" style="mso-layout-grid-align:none;">Execute the following code: </p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><font face="Courier New" color="#0000ff" size="2"></font>&nbsp;</p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">use</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">master</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">&nbsp;</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">create</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">trigger</span> ServerWideLoginLogs</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">on</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:gray;">all</span> <span style="color:blue;">server</span> </span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">with</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">execute</span> <span style="color:blue;">as</span> <span style="color:blue;">self</span> </span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">for</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> LOGON</span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">as</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:blue;">begin</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:blue;">DECLARE</span> @event <span style="color:blue;">XML</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:blue;">SET</span> @event <span style="color:gray;">=</span> <span style="color:fuchsia;">eventdata</span><span style="color:gray;">()</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:blue;">INSERT</span> <span style="color:blue;">INTO</span> Admin_Log<span style="color:gray;">.</span>admin<span style="color:gray;">.</span>logs <span style="color:gray;">(</span>EventTime<span style="color:gray;">,</span>EventType<span style="color:gray;">,</span>LoginName<span style="color:gray;">,</span>HostName<span style="color:gray;">,</span>AppName,Event_Data<span style="color:gray;">)</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:blue;">VALUES</span><span style="color:gray;">(</span><span style="color:fuchsia;">CAST</span><span style="color:gray;">(</span><span style="color:fuchsia;">CAST</span><span style="color:gray;">(</span>@event<span style="color:gray;">.</span>query<span style="color:gray;">(</span><span style="color:red;">&#39;/EVENT_INSTANCE/PostTime/text()&#39;</span><span style="color:gray;">)</span> <span style="color:blue;">AS</span> <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>64<span style="color:gray;">))</span> <span style="color:blue;">AS</span> <span style="color:blue;">DATETIME</span><span style="color:gray;">),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:fuchsia;"><font color="#333333">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </font>CAST</span><span style="color:gray;">(</span>@event<span style="color:gray;">.</span>query<span style="color:gray;">(</span><span style="color:red;">&#39;/EVENT_INSTANCE/EventType/text()&#39;</span><span style="color:gray;">)</span> <span style="color:blue;">AS</span> <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">)),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="mso-tab-count:3;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="color:fuchsia;">CAST</span><span style="color:gray;">(</span>@event<span style="color:gray;">.</span>query<span style="color:gray;">(</span><span style="color:red;">&#39;/EVENT_INSTANCE/LoginName/text()&#39;</span><span style="color:gray;">)</span> <span style="color:blue;">AS</span> <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">)),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="mso-tab-count:3;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style="color:fuchsia;">CAST</span><span style="color:gray;">(</span>@event<span style="color:gray;">.</span>query<span style="color:gray;">(</span><span style="color:red;">&#39;/EVENT_INSTANCE/ClientHost/text()&#39;</span><span style="color:gray;">)</span> <span style="color:blue;">AS</span> <span style="color:blue;">VARCHAR</span><span style="color:gray;">(</span>100<span style="color:gray;">)),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="mso-tab-count:3;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><span style="color:fuchsia;">APP_NAME</span><span style="color:gray;">(),</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"><span style="mso-tab-count:3;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>@event<span style="color:gray;">)</span></span></p> <p class="MsoNormal" style="mso-layout-grid-align:none;"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">end</span></p> <p class="MsoNormal"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">GO</span></p> <p class="MsoNormal"><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"></span><span style="font-family:arial;"></span>&nbsp;</p> <p>This script creates the trigger that declares that we want to look for all DDL Login events that occur on the server. The information resulting when this trigger fires will go into the admin<span style="color:gray;">.</span>logs table that we created earlier. Notice that we casting information from our @event variable (that we initialized using the <span style="color:fuchsia;">eventdata</span><span style="color:gray;">() </span>function) to insert data into our table. </p> <p>In this context, the <span style="color:fuchsia;">eventdata</span><span style="color:gray;">() </span>function will gather information about the triggered event (LOGON) because that&#39;s the event specified in the statement FOR. </p> <p>To test our new trigger, try connecting to the server and execute the following code:</p> <p class="MsoNormal"><span style="font-size:10pt;color:blue;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">select</span><span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;"> <span style="color:gray;">*</span> <span style="color:blue;">from</span> admin<span style="color:gray;">.</span>logs</span><span style="font-size:10pt;"></span></p> <p><a href="http://sqlprof.com/blogs/sqlserver/WindowsLiveWriter/adeea3cefdeb_1167A/image_2.png"><img style="border-right:0px;border-top:0px;border-left:0px;border-bottom:0px;" height="281" alt="image" src="http://sqlprof.com/blogs/sqlserver/WindowsLiveWriter/adeea3cefdeb_1167A/image_thumb.png" width="462" border="0" /></a>&nbsp; </p> <p>After running this statement, you will see that a record is inserted every time someone connects to the server. <p><strong>What&#39;s in your XML?</strong><br />The <span style="font-size:10pt;font-family:&#39;Courier New&#39;;mso-no-proof:yes;">Event_Data </span>field is populated by the EVENTDATA() function from our INSERT statement in our trigger. In this case, the <span style="color:fuchsia;">eventdata</span><span style="color:gray;">() </span>function returns XML data related to the connection, including the date and time of the login, the server name, the user ID, and the machine system ID. <p><a href="http://sqlprof.com/blogs/sqlserver/WindowsLiveWriter/adeea3cefdeb_1167A/image_4.png"><img style="border-right:0px;border-top:0px;border-left:0px;border-bottom:0px;" height="190" alt="image" src="http://sqlprof.com/blogs/sqlserver/WindowsLiveWriter/adeea3cefdeb_1167A/image_thumb_1.png" width="395" border="0" /></a> </p> <p>Hope this was helpful,</p> <p>&nbsp;</p> <p>Eric Vaillancourt</p> <p>&nbsp;</p> <p> <div class="wlWriterSmartContent" id="scid:0767317B-992E-4b12-91E0-4F059A8CECA8:b2f1da07-7729-4603-bb37-3db855e78a7f" style="padding-right:0px;display:inline;padding-left:0px;padding-bottom:0px;margin:0px;padding-top:0px;">Technorati : <a href="http://technorati.com/tags/DDL%20Triggers" rel="tag">DDL Triggers</a>,<a href="http://technorati.com/tags/Sarbanes-Oxley" rel="tag">Sarbanes-Oxley</a>,<a href="http://technorati.com/tags/Audit" rel="tag">Audit</a>,<a href="http://technorati.com/tags/SQL%20Server%202005" rel="tag">SQL Server 2005</a></div></p><img src="http://www.sqlprof.com/aggbug.aspx?PostID=17" width="1" height="1">SecurityFOR LOGONDDL TriggersAuditSarbanes-Oxley