1 of 1 people found this helpful
I couldn't find a very good document that describes what SQL Auditor does or how it works, so here goes.
SQL Auditor uses the MSSQL Profiler with trace files that look for specific types of activity. In order to avoid having any visibility into credit card, patient, or other potential personal information that might pull the LEM appliance under specific regulations (or put sensitive data in a database where it shouldn't belong), we generally avoid tracing any query activity that would log values actually being inserted, updated, and deleted.
It is capable to use Profiler/traces to audit ANYTHING done against a database, but MSSQL Auditor specifically looks for:
- Schema changes
- User/group additions/changes
- Failures to do any activity - insert, update, delete, etc
These could be made from either the query window, a remote tool, or any application that accesses the database.
We have had customers request or provide additional trace auditing, but we ALWAYS advise against capturing anything that might have actual query/insert data in it since that could be either stored in a log file (in plain text) on disk on the system and/or in the LEM database.
Have you solved it?
I have SQL Auditor running in my lab, is there something in particular I can look for to see if it captures it?
Test with DBCC events and you'll see.