4 Replies Latest reply on May 11, 2016 2:51 AM by ajff

    MSSQL Auditor Functionality



         Can anyone tell me what level of auditing is provided by this agent?  WIll it pick up if someone modifies data using a query window?




        • Re: MSSQL Auditor Functionality
          nicole pauls

          Hi Todd,


          I couldn't find a very good document that describes what SQL Auditor does or how it works, so here goes.


          SQL Auditor uses the MSSQL Profiler with trace files that look for specific types of activity. In order to avoid having any visibility into credit card, patient, or other potential personal information that might pull the LEM appliance under specific regulations (or put sensitive data in a database where it shouldn't belong), we generally avoid tracing any query activity that would log values actually being inserted, updated, and deleted.


          It is capable to use Profiler/traces to audit ANYTHING done against a database, but MSSQL Auditor specifically looks for:

          • Schema changes
          • User/group additions/changes
          • Failures to do any activity - insert, update, delete, etc


          These could be made from either the query window, a remote tool, or any application that accesses the database.


          We have had customers request or provide additional trace auditing, but we ALWAYS advise against capturing anything that might have actual query/insert data in it since that could be either stored in a log file (in plain text) on disk on the system and/or in the LEM database.

          1 of 1 people found this helpful
          • Re: MSSQL Auditor Functionality

            Hi Todd,


            Have you solved it?




            • Re: MSSQL Auditor Functionality

              I have SQL Auditor running in my lab, is there something in particular I can look for to see if it captures it?