Remove From My Forums

Auditing Database create or remove

Question
0

Sign in to vote

Hi,

I'd like to monitor SQL database creation or removal so I can generate an event ID onto my NT application logs.

How can I do that easily?

Thanks,

Cédric

Win 2008R2, SQL 2008 R2

Wednesday, August 1, 2012 8:17 AM

Answers

1

Sign in to vote
As posted above the op can add which events they are interested by visiting the link: http://technet.microsoft.com/en-us/library/cc280663.aspx

They may well choose to have both DATABASE_CHANGE_GROUP and BACKUP_RESTORE_GROUP in the audit, but there may be other events they are interested in e.g. SERVER_STATE_CHANGE_GROUP

Jon
- Proposed as answer by amber zhang Thursday, August 2, 2012 1:58 AM
- Marked as answer by Olaf HelperMVP Thursday, February 21, 2013 5:06 PM
Wednesday, August 1, 2012 9:48 AM
0

Sign in to vote
Hi, BACKUP_RESTORE_GROUP would be better for the server audit. DDL triggers cannot catch the restore event. Janos
There are 10 type of people. Those who understand binary and those who do not.

My Blog | Hire Me
- Marked as answer by Olaf HelperMVP Thursday, February 21, 2013 5:06 PM
Wednesday, August 1, 2012 9:43 AM

All replies

0

Sign in to vote

Hello Cédric,

You could check the default trace for such events or you can create a DLL trigger to audit it ; see DDL Triggers , there is a sample for a CREATE_DATABASE trigger.
Olaf Helper
* cogito ergo sum * errare humanum est * quote erat demonstrandum *
Wenn ich denke, ist das ein Fehler und das beweise ich täglich
Blog Xing

Wednesday, August 1, 2012 8:27 AM

USE [master]
GO
CREATE SERVER AUDIT [ApplicationLogAudit]
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000,ON_FAILURE = CONTINUE)
GO
CREATE SERVER AUDIT SPECIFICATION [ApplicationLogAudit_Spec]
FOR SERVER AUDIT [ApplicationLogAudit]
ADD (DATABASE_CHANGE_GROUP)
--This event is raised when a database is created, altered, or dropped. 
WITH (STATE = ON)
GO
--Server-Level Audit Action Groups
--http://technet.microsoft.com/en-us/library/cc280663.aspx
ALTER SERVER AUDIT [ApplicationLogAudit] WITH (STATE = ON)

Jon

Wednesday, August 1, 2012 8:28 AM

1

Sign in to vote

What if someone restore the database I do no think DDL triggers will capture it..
Best Regards,Uri Dimant SQL Server MVP,http://sqlblog.com/blogs/uri_dimant/

Blog : MS SQL Development and Optimization

Blog : Large scale of database and cleansing

Wednesday, August 1, 2012 9:34 AM

Answerer
0

Sign in to vote
Hi, BACKUP_RESTORE_GROUP would be better for the server audit. DDL triggers cannot catch the restore event. Janos
There are 10 type of people. Those who understand binary and those who do not.

My Blog | Hire Me
- Marked as answer by Olaf HelperMVP Thursday, February 21, 2013 5:06 PM
Wednesday, August 1, 2012 9:43 AM
1

Sign in to vote
As posted above the op can add which events they are interested by visiting the link: http://technet.microsoft.com/en-us/library/cc280663.aspx

They may well choose to have both DATABASE_CHANGE_GROUP and BACKUP_RESTORE_GROUP in the audit, but there may be other events they are interested in e.g. SERVER_STATE_CHANGE_GROUP

Jon
- Proposed as answer by amber zhang Thursday, August 2, 2012 1:58 AM
- Marked as answer by Olaf HelperMVP Thursday, February 21, 2013 5:06 PM
Wednesday, August 1, 2012 9:48 AM
0

Sign in to vote

Hi,

Thanks it helped a lot. I managed to get the event ID 33205 with: statement:CREATE DATABASE [test08] ON PRIMAR. Actually I get several 33205 following a database creation.

Can I get a specific ID that I would choose, based on the statement (CREATE DATABASE) so I get a unique ID for a database creation.

I'm asking because We are using System Center Operation Manager and I can raise an alert based on the NT Application log I

Thursday, August 2, 2012 8:00 AM

Answered by:

Auditing Database create or remove

Question

Answers

All replies