SQL Server 审核操作组和操作SQL Server Audit Action Groups and Actions

适用对象:是SQL Server 否Azure SQL 数据库 否Azure Synapse Analytics (SQL DW) 否并行数据仓库APPLIES TO: yesSQL Server noAzure SQL Database noAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

使用 SQL ServerSQL Server Audit 功能,你可以对服务器级别和数据库级别事件组以及各个事件进行审核。The SQL ServerSQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. 有关详细信息,请参阅 SQL Server Audit(数据库引擎)For more information, see SQL Server Audit (Database Engine).

SQL ServerSQL Server 审核包括零个或多个审核操作项目。audits consist of zero or more audit action items. 这些审核操作项目可以是一组操作,例如 Server_Object_Change_Group,也可以是单个操作,例如对表的 SELECT 操作。These audit action items can be either a group of actions, such as Server_Object_Change_Group, or individual actions such as SELECT operations on a table.

备注

Server_Object_Change_Group 包括对任何服务器对象(数据库或端点)的 CREATE、ALTER 和 DROP 操作。Server_Object_Change_Group includes CREATE, ALTER, and DROP for any server object (Database or Endpoint).

审核可以有以下类别的操作:Audits can have the following categories of actions:

  • 服务器级别。Server-level. 这些操作包括服务器操作,例如管理更改以及登录和注销操作。These actions include server operations, such as management changes and logon and logoff operations.

  • 数据库级别。Database-level. 这些操作包括数据操作语言 (DML) 和数据定义语言 (DDL) 操作。These actions encompass data manipulation languages (DML) and data definition language (DDL) operations.

  • 审核级别。Audit-level. 这些操作包括审核过程中的操作。These actions include actions in the auditing process.

针对 SQL ServerSQL Server 审核组件执行的某些操作本质上是在特定审核中进行审核的,在这些情况下,由于事件发生在父对象上,因此将自动发生审核事件。Some actions performed on SQL ServerSQL Server auditing components are intrinsically audited in a specific audit, and in these cases audit events occur automatically because the event occurred on the parent object.

本质上将对下列操作进行审核:The following actions are intrinsically audited:

  • 服务器审核状态更改(将状态设置为 ON 或 OFF)Server Audit State Change (setting State to ON or OFF)

本质上将不对下列事件进行审核:The following events are not intrinsically audited:

  • CREATE SERVER AUDIT SPECIFICATIONCREATE SERVER AUDIT SPECIFICATION

  • ALTER SERVER AUDIT SPECIFICATIONALTER SERVER AUDIT SPECIFICATION

  • DROP SERVER AUDIT SPECIFICATIONDROP SERVER AUDIT SPECIFICATION

  • CREATE DATABASE AUDIT SPECIFICATIONCREATE DATABASE AUDIT SPECIFICATION

  • ALTER DATABASE AUDIT SPECIFICATIONALTER DATABASE AUDIT SPECIFICATION

  • DROP DATABASE AUDIT SPECIFICATIONDROP DATABASE AUDIT SPECIFICATION

最初创建时会禁用所有审核。All audits are disabled when initially created.

服务器级别审核操作组Server-Level Audit Action Groups

服务器级别审核操作组是类似于 SQL ServerSQL Server 安全审核事件类的操作。Server-level audit action groups are actions similar to SQL ServerSQL Server security audit event classes. 有关详细信息,请参阅 SQL Server Event Class ReferenceFor more information, see SQL Server Event Class Reference.

下表介绍了服务器级审核操作组,并提供了适用的等效 SQL Server 事件类。The following table describes the server-level audit action groups and provides the equivalent SQL Server Event Class where applicable.

操作组名称Action group name 描述Description
APPLICATION_ROLE_CHANGE_PASSWORD_GROUPAPPLICATION_ROLE_CHANGE_PASSWORD_GROUP 更改应用程序角色的密码时将引发此事件。This event is raised whenever a password is changed for an application role. 等效于 Audit App Role Change Password Event ClassEquivalent to the Audit App Role Change Password Event Class.
AUDIT_CHANGE_GROUPAUDIT_CHANGE_GROUP 创建、修改或删除任何审核时,均将引发此事件。This event is raised whenever any audit is created, modified or deleted. 创建、修改或删除任何审核规范时,均将引发此事件。This event is raised whenever any audit specification is created, modified, or deleted. 任何针对某审核的更改均将在该审核中审核。Any change to an audit is audited in that audit. 等效于 Audit Change Audit Event ClassEquivalent to the Audit Change Audit Event Class.
BACKUP_RESTORE_GROUPBACKUP_RESTORE_GROUP 发出备份或还原命令时,将引发此事件。This event is raised whenever a backup or restore command is issued. 等效于 审核备份和还原事件类Equivalent to the Audit Backup and Restore Event Class.
BROKER_LOGIN_GROUPBROKER_LOGIN_GROUP 引发此事件的目的是为了报告与 Service Broker 传输安全性相关的审核消息。This event is raised to report audit messages related to Service Broker transport security. 等效于 Audit Broker Login Event ClassEquivalent to the Audit Broker Login Event Class.
DATABASE_CHANGE_GROUPDATABASE_CHANGE_GROUP 创建、更改或删除数据库时将引发此事件。This event is raised when a database is created, altered, or dropped. 创建、更改或删除任何数据库时均将引发此事件。This event is raised whenever any database is created, altered or dropped. 等效于 Audit Database Management Event ClassEquivalent to the Audit Database Management Event Class.
DATABASE_LOGOUT_GROUPDATABASE_LOGOUT_GROUP 在包含数据库用户注销某一数据库时,会引发此事件。This event is raised when a contained database user logs out of a database.
DATABASE_MIRRORING_LOGIN_GROUPDATABASE_MIRRORING_LOGIN_GROUP 引发此事件的目的是为了报告与数据库镜像传输安全性相关的审核消息。This event is raised to report audit messages related to database mirroring transport security. 等效于 Audit Database Mirroring Login Event ClassEquivalent to the Audit Database Mirroring Login Event Class.
DATABASE_OBJECT_ACCESS_GROUPDATABASE_OBJECT_ACCESS_GROUP 访问数据库对象(如消息类型、程序集和协定)时将引发此事件。This event is raised whenever database objects such as message type, assembly, contract are accessed. 此事件由对任何数据库的任何访问而引发。This event is raised for any access to any database. 注意:这可能导致生成大量审核记录。Note: This could potentially lead to large audit records.

等效于 Audit Database Object Access Event ClassEquivalent to the Audit Database Object Access Event Class.
DATABASE_OBJECT_CHANGE_GROUPDATABASE_OBJECT_CHANGE_GROUP 针对数据库对象(如架构)执行 CREATE、ALTER 或 DROP 语句时将引发此事件。This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. 创建、更改或删除任何数据库对象时均将引发此事件。This event is raised whenever any database object is created, altered or dropped. 注意:这可能会导致生成大量审核记录。Note: This could lead to very large quantities of audit records.

等效于 Audit Database Object Management Event ClassEquivalent to the Audit Database Object Management Event Class.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUPDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP 在数据库范围内更改对象所有者时,将引发此事件。This event is raised when a change of owner for objects within database scope. 服务器上任意数据库的任意对象所有权发生更改时,均将引发此事件。This event is raised for any object ownership change in any database on the server. 等效于 Audit Database Object Take Ownership Event ClassEquivalent to the Audit Database Object Take Ownership Event Class.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUPDATABASE_OBJECT_PERMISSION_CHANGE_GROUP 针对数据库对象(例如,程序集和架构)发出 GRANT、REVOKE 或 DENY 语句时将引发此事件。This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. 服务器上任意数据库的任意对象权限发生更改时,均将引发此事件。This event is raised for any object permission change for any database on the server. 等效于 Audit Database Object GDR Event ClassEquivalent to the Audit Database Object GDR Event Class.
DATABASE_OPERATION_GROUPDATABASE_OPERATION_GROUP 数据库中发生操作(如检查点或订阅查询通知)时将引发此事件。This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. 对于任何数据库的任何操作都将引发此事件。This event is raised on any database operation on any database. 等效于 Audit Database Operation Event ClassEquivalent to the Audit Database Operation Event Class.
DATABASE_OWNERSHIP_CHANGE_GROUPDATABASE_OWNERSHIP_CHANGE_GROUP 使用 ALTER AUTHORIZATION 语句更改数据库的所有者时,将引发此事件,并将检查执行该操作所需的权限。This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. 服务器上任意数据库的任意数据库所有权发生更改时,均将引发此事件。This event is raised for any database ownership change on any database on the server. 等效于 Audit Change Database Owner Event ClassEquivalent to the Audit Change Database Owner Event Class.
DATABASE_PERMISSION_CHANGE_GROUPDATABASE_PERMISSION_CHANGE_GROUP SQL ServerSQL Server 中的任何主体针对某语句权限发出 GRANT、REVOKE 或 DENY 语句时均将引发此事件(仅适用于数据库事件,例如授予对某数据库的权限)。This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any principal in SQL ServerSQL Server (This applies to database-only events, such as granting permissions on a database).

服务器上任意数据库的任意数据库权限发生更改 (GDR) 时,均将引发此事件。This event is raised for any database permission change (GDR) for any database in the server. 等效于 Audit Database Scope GDR Event ClassEquivalent to the Audit Database Scope GDR Event Class.
DATABASE_PRINCIPAL_CHANGE_GROUPDATABASE_PRINCIPAL_CHANGE_GROUP 在数据库中创建、更改或删除主体(如用户)时,将引发此事件。This event is raised when principals, such as users, are created, altered, or dropped from a database. 等效于 Audit Database Principal Management Event ClassEquivalent to the Audit Database Principal Management Event Class. (还等效于 Audit Add DB Principal 事件类,该事件类针对不推荐使用的 sp_grantdbaccess、sp_revokedbaccess、sp_addPrincipal 和 sp_dropPrincipal 存储过程时发生。)(Also equivalent to the Audit Add DB Principal Event Class, which occurs on the deprecated sp_grantdbaccess, sp_revokedbaccess, sp_addPrincipal, and sp_dropPrincipal stored procedures.)

使用 sp_addrole 或 sp_droprole 存储过程添加或删除数据库角色时,将引发此事件。This event is raised whenever a database role is added to or removed by using the sp_addrole, sp_droprole stored procedures. 创建、更改或删除任何数据库的任何主体时均将引发此事件。This event is raised whenever any database principals are created, altered, or dropped from any database. 等效于 Audit Add Role 事件类Equivalent to the Audit Add Role Event Class.
DATABASE_PRINCIPAL_IMPERSONATION_GROUPDATABASE_PRINCIPAL_IMPERSONATION_GROUP 数据库范围内存在模拟操作(如 EXECUTE AS <主体> 或 SETPRINCIPAL)时将引发此事件。This event is raised when there is an impersonation operation in the database scope such as EXECUTE AS <principal> or SETPRINCIPAL. 此事件针对任何数据库中完成的模拟引发。This event is raised for impersonations done in any database. 等效于 Audit Database Principal Impersonation Event ClassEquivalent to the Audit Database Principal Impersonation Event Class.
DATABASE_ROLE_MEMBER_CHANGE_GROUPDATABASE_ROLE_MEMBER_CHANGE_GROUP 向数据库角色添加登录名或从中删除登录名时将引发此事件。This event is raised whenever a login is added to or removed from a database role. 此事件类由 sp_addrolemember、sp_changegroup 和 sp_droprolemember 存储过程引发。This event class is raised for the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures. 任何数据库的任何数据库角色成员发生更改时,均将引发此事件。This event is raised on any Database role member change in any database. 等效于 Audit Add Member to DB Role 事件类Equivalent to the Audit Add Member to DB Role Event Class.
DBCC_GROUPDBCC_GROUP 主体发出任何 DBCC 命令时,将引发此事件。This event is raised whenever a principal issues any DBCC command. 等效于 Audit DBCC Event ClassEquivalent to the Audit DBCC Event Class.
FAILED_DATABASE_AUTHENTICATION_GROUPFAILED_DATABASE_AUTHENTICATION_GROUP 指示某个主体尝试登录到包含数据库并且失败。Indicates that a principal tried to log on to a contained database and failed. 此类中的事件由新连接引发或由连接池中重用的连接引发。Events in this class are raised by new connections or by connections that are reused from a connection pool. 等效于 Audit Login Failed Event ClassEquivalent to the Audit Login Failed Event Class.
FULLTEXT_GROUPFULLTEXT_GROUP 指示发生了全文事件。Indicates fulltext event occurred. 等效于 Audit Fulltext Event ClassEquivalent to the Audit Fulltext Event Class.
LOGIN_CHANGE_PASSWORD_GROUPLOGIN_CHANGE_PASSWORD_GROUP 通过 ALTER LOGIN 语句或 sp_password 存储过程更改登录密码时,将引发此事件。This event is raised whenever a login password is changed by way of ALTER LOGIN statement or sp_password stored procedure. 等效于 Audit Login Change Password Event ClassEquivalent to the Audit Login Change Password Event Class.
LOGOUT_GROUPLOGOUT_GROUP 指示主体已注销 SQL ServerSQL ServerIndicates that a principal has logged out of SQL ServerSQL Server. 此类中的事件由新连接引发或由连接池中重用的连接引发。Events in this class are raised by new connections or by connections that are reused from a connection pool. 等效于 Audit Logout Event ClassEquivalent to the Audit Logout Event Class.
SCHEMA_OBJECT_ACCESS_GROUPSCHEMA_OBJECT_ACCESS_GROUP 每次在架构中使用对象权限时,都将引发此事件。This event is raised whenever an object permission has been used in the schema. 等效于 Audit Schema Object Access Event ClassEquivalent to the Audit Schema Object Access Event Class.
SCHEMA_OBJECT_CHANGE_GROUPSCHEMA_OBJECT_CHANGE_GROUP 针对架构执行 CREATE、ALTER 或 DROP 操作时将引发此事件。This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. 等效于 Audit Schema Object Management Event ClassEquivalent to the Audit Schema Object Management Event Class.

此事件针对架构对象引发。This event is raised on schema objects. 等效于 Audit Object Derived Permission Event ClassEquivalent to the Audit Object Derived Permission Event Class.

任何数据库的任何架构发生更改时,均将引发此事件。This event is raised whenever any schema of any database changes. 等效于 Audit Statement Permission Event ClassEquivalent to the Audit Statement Permission Event Class.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUPSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP 检查更改架构对象(例如表、过程或函数)的所有者的权限时,会引发此事件。This event is raised when the permissions to change the owner of schema object (such as a table, procedure, or function) is checked. 使用 ALTER AUTHORIZATION 语句指定对象所有者时会引发此事件。This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. 服务器上任意数据库的任意架构所有权发生更改时,均将引发此事件。This event is raised for any schema ownership change for any database on the server. 等效于 Audit Schema Object Take Ownership Event ClassEquivalent to the Audit Schema Object Take Ownership Event Class.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUPSCHEMA_OBJECT_PERMISSION_CHANGE_GROUP 对架构对象执行 GRANT、DENY 或 REVOKE 语句时将引发此事件。This event is raised whenever a grant, deny, revoke is performed against a schema object. 等效于 Audit Schema Object GDR Event ClassEquivalent to the Audit Schema Object GDR Event Class.
SERVER_OBJECT_CHANGE_GROUPSERVER_OBJECT_CHANGE_GROUP 针对服务器对象执行 CREATE、ALTER 或 DROP 操作时将引发此事件。This event is raised for CREATE, ALTER, or DROP operations on server objects. 等效于 Audit Server Object Management Event ClassEquivalent to the Audit Server Object Management Event Class.
SERVER_OBJECT_OWNERSHIP_CHANGE_GROUPSERVER_OBJECT_OWNERSHIP_CHANGE_GROUP 服务器范围中的对象的所有者发生更改时将引发此事件。This event is raised when the owner is changed for objects in server scope. 等效于 Audit Server Object Take Ownership Event ClassEquivalent to the Audit Server Object Take Ownership Event Class.
SERVER_OBJECT_PERMISSION_CHANGE_GROUPSERVER_OBJECT_PERMISSION_CHANGE_GROUP SQL ServerSQL Server中的任何主体针对某服务器对象权限发出 GRANT、REVOKE、或 DENY 语句时,将引发此事件。This event is raised whenever a GRANT, REVOKE, or DENY is issued for a server object permission by any principal in SQL ServerSQL Server. 等效于 Audit Server Object GDR Event ClassEquivalent to the Audit Server Object GDR Event Class.
SERVER_OPERATION_GROUPSERVER_OPERATION_GROUP 使用安全审核操作(如使更改设置、资源、外部访问或授权)时将引发此事件。This event is raised when Security Audit operations such as altering settings, resources, external access, or authorization are used. 等效于 Audit Server Operation Event ClassEquivalent to the Audit Server Operation Event Class.
SERVER_PERMISSION_CHANGE_GROUPSERVER_PERMISSION_CHANGE_GROUP 针对获取服务器范围内的权限而发出 GRANT、REVOKE 或 DENY 语句时,将引发此事件。This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope. 等效于 Audit Server Scope GDR Event ClassEquivalent to the Audit Server Scope GDR Event Class.
SERVER_PRINCIPAL_CHANGE_GROUPSERVER_PRINCIPAL_CHANGE_GROUP 创建、更改或删除服务器主体时将引发此事件。This event is raised when server principals are created, altered, or dropped. 等效于 Audit Server Principal Management Event ClassEquivalent to the Audit Server Principal Management Event Class.

主体发出 sp_defaultdb 或 sp_defaultlanguage 存储过程或 ALTER LOGIN 语句时,将引发此事件。This event is raised when a principal issues the sp_defaultdb or sp_defaultlanguage stored procedures or ALTER LOGIN statements. 等效于 Audit Addlogin Event ClassEquivalent to the Audit Addlogin Event Class.

调用 sp_addlogin 和 sp_droplogin 存储过程时会引发此事件。This event is raised on the sp_addlogin and sp_droplogin stored procedures. 还等效于 Audit Login Change Property Event ClassAlso equivalent to the Audit Login Change Property Event Class.

此事件由 sp_grantlogin 或 sp_revokelogin 存储过程引发。This event is raised for the sp_grantlogin or sp_revokelogin stored procedures. 等效于 Audit Login GDR Event ClassEquivalent to the Audit Login GDR Event Class.
SERVER_PRINCIPAL_IMPERSONATION_GROUPSERVER_PRINCIPAL_IMPERSONATION_GROUP 服务器范围内发生模拟(如 EXECUTE AS <登录名>)时将引发此事件。This event is raised when there is an impersonation within server scope, such as EXECUTE AS <login>. 等效于 Audit Server Principal Impersonation Event ClassEquivalent to the Audit Server Principal Impersonation Event Class.
SERVER_ROLE_MEMBER_CHANGE_GROUPSERVER_ROLE_MEMBER_CHANGE_GROUP 向固定服务器角色添加登录名或从中删除登录名时将引发此事件。This event is raised whenever a login is added or removed from a fixed server role. 此事件由 sp_addsrvrolemember 和 sp_dropsrvrolemember 存储过程引发。This event is raised for the sp_addsrvrolemember and sp_dropsrvrolemember stored procedures. 等效于 Audit Add Login to Server Role 事件类Equivalent to the Audit Add Login to Server Role Event Class.
SERVER_STATE_CHANGE_GROUPSERVER_STATE_CHANGE_GROUP 修改 SQL ServerSQL Server 服务状态时将引发此事件。This event is raised when the SQL ServerSQL Server service state is modified. 等效于 Audit Server Starts and Stops Event ClassEquivalent to the Audit Server Starts and Stops Event Class.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUPSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP 指示主体已成功登录到包含数据库。Indicates that a principal successfully logged in to a contained database.
SUCCESSFUL_LOGIN_GROUPSUCCESSFUL_LOGIN_GROUP 指示主体已成功登录到 SQL ServerSQL ServerIndicates that a principal has successfully logged in to SQL ServerSQL Server. 此类中的事件由新连接引发或由连接池中重用的连接引发。Events in this class are raised by new connections or by connections that are reused from a connection pool. 等效于 Audit Login Event ClassEquivalent to the Audit Login Event Class.
TRACE_CHANGE_GROUPTRACE_CHANGE_GROUP 对于检查 ALTER TRACE 权限的所有语句,都会引发此事件。This event is raised for all statements that check for the ALTER TRACE permission. 等效于 Audit Server Alter Trace Event ClassEquivalent to the Audit Server Alter Trace Event Class.
TRANSACTION_GROUPTRANSACTION_GROUP 此事件由 BEGIN TRANSACTION、ROLLBACK TRANSACTION 和 COMMIT TRANSACTION 操作引发(无论是对这些语句的显式调用还是隐式事务操作)。This event is raised for BEGIN TRANSACTION, ROLLBACK TRANSACTION, and COMMIT TRANSACTION operations, both for explicit calls to those statements and implicit transaction operations. 此外,因事务回退导致的各个事件的 UNDO 操作也会引发此事件。This event is also raised for UNDO operations for individual statements caused by the rollback of a transaction.
USER_CHANGE_PASSWORD_GROUPUSER_CHANGE_PASSWORD_GROUP 每当使用 ALTER USER 语句更改包含数据库用户的密码时,都会引发此事件。This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement.
USER_DEFINED_AUDIT_GROUPUSER_DEFINED_AUDIT_GROUP 此组监视器事件通过使用 sp_audit_write (Transact-SQL) 引发。This group monitors events raised by using sp_audit_write (Transact-SQL). 通常,触发器或存储过程包括对 sp_audit_write 的调用以便实现对重要事件的审核。Typically triggers or stored procedures include calls to sp_audit_write to enable auditing of important events.

注意事项Considerations

服务器级别操作组涵盖了整个 SQL ServerSQL Server 实例中的操作。Server-level action groups cover actions across a SQL ServerSQL Server instance. 例如,如果将相应操作组添加到服务器审核规范中,则将记录任何数据库中的任何架构对象访问检查。For example, any schema object access check in any database is recorded if the appropriate action group is added to a server audit specification. 在数据库审核规范中,仅记录该数据库中的架构对象访问。In a database audit specification, only schema object accesses in that database are recorded.

服务器级别的操作不允许对数据库级别的操作进行详细筛选。Server-level actions do not allow for detailed filtering on database-level actions. 实现详细操作筛选需要数据库级别的审核,例如,对 Employee 组中登录名的 Customers 表执行的 SELECT 操作进行的审核。A database-level audit, such as audit of SELECT actions on the Customers table for logins in the Employee group is required to implement detailed action filtering. 在用户数据库审核规范中不要包括服务器范围的对象,例如系统视图。Do not include server-scoped objects, such as the system views, in a user database audit specification.

备注

由于启用事务级别审核所需的开销,从 SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP2 CU3 和 SQL Server 2017 (14.x)SQL Server 2017 (14.x) CU4 开始,除非已启用通用标准符合性,否则将默认禁用事务级别审核。Because of the overhead involved in enabling transaction-level auditing, starting with SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP2 CU3 and SQL Server 2017 (14.x)SQL Server 2017 (14.x) CU4, transaction-level auditing is disabled by default unless you have Common Criteria Compliance enabled. 如果已禁用通用标准符合性,仍能够通过 TRANSACTION_GROUP 将操作添加到审核规范,但实际上不会收集任何事务操作。If Common Criteria Compliance is disabled, you will still be able to add an action from TRANSACTION_GROUP to an audit specification, but it will not actually collect any transaction actions. 如果想要通过 TRANSACTION_GROUP 配置任何审核操作,从 SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP2 CU3 和 SQL Server 2017 (14.x)SQL Server 2017 (14.x) CU4 及更高版本开始,请确保通过启用通用标准符合性,来启用事务级别审核基础结构。If you intend to configure any auditing actions from TRANSACTION_GROUP, be sure that the transaction-level auditing infrastructure is enabled by enabling Common Criteria Compliance starting with SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP2 CU3 and SQL Server 2017 (14.x)SQL Server 2017 (14.x) CU4 and later. 请注意,从 SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP1 CU2 开始,事务级别审核也可使用跟踪标志 3427 禁用。Note that in SQL Server 2016 (13.x)SQL Server 2016 (13.x) transaction-level auditing may also be disabled with trace flag 3427 starting with SP1 CU2.

数据库级别审核操作组Database-Level Audit Action Groups

数据库级别审核操作组是类似于 SQL ServerSQL Server 安全审核事件类的操作。Database-Level Audit Action Groups are actions similar to SQL ServerSQL Server Security Audit Event classes. 有关事件类的详细信息,请参阅 SQL Server Event Class ReferenceFor more information about event classes, see SQL Server Event Class Reference.

下表介绍了数据库级别审核操作组,并提供了适用的等效 SQL Server 事件类。The following table describes the database-level audit action groups and provides their equivalent SQL Server Event Class where applicable.

操作组名称Action group name 描述Description
APPLICATION_ROLE_CHANGE_PASSWORD_GROUPAPPLICATION_ROLE_CHANGE_PASSWORD_GROUP 更改应用程序角色的密码时将引发此事件。This event is raised whenever a password is changed for an application role. 等效于 Audit App Role Change Password Event ClassEquivalent to the Audit App Role Change Password Event Class.
AUDIT_CHANGE_GROUPAUDIT_CHANGE_GROUP 创建、修改或删除任何审核时,均将引发此事件。This event is raised whenever any audit is created, modified or deleted. 创建、修改或删除任何审核规范时,均将引发此事件。This event is raised whenever any audit specification is created, modified, or deleted. 任何针对某审核的更改均将在该审核中审核。Any change to an audit is audited in that audit. 等效于 Audit Change Audit Event ClassEquivalent to the Audit Change Audit Event Class.
BACKUP_RESTORE_GROUPBACKUP_RESTORE_GROUP 发出备份或还原命令时,将引发此事件。This event is raised whenever a backup or restore command is issued. 等效于 审核备份和还原事件类Equivalent to the Audit Backup and Restore Event Class.
DATABASE_CHANGE_GROUPDATABASE_CHANGE_GROUP 创建、更改或删除数据库时将引发此事件。This event is raised when a database is created, altered, or dropped. 等效于 Audit Database Management Event ClassEquivalent to the Audit Database Management Event Class.
DATABASE_LOGOUT_GROUPDATABASE_LOGOUT_GROUP 在包含数据库用户注销某一数据库时,会引发此事件。This event is raised when a contained database user logs out of a database. 等效于 审核备份和还原事件类Equivalent to the Audit Backup and Restore Event Class.
DATABASE_OBJECT_ACCESS_GROUPDATABASE_OBJECT_ACCESS_GROUP 访问数据库对象(如证书和非对称密钥)时将引发此事件。This event is raised whenever database objects such as certificates and asymmetric keys are accessed. 等效于 Audit Database Object Access Event ClassEquivalent to the Audit Database Object Access Event Class.
DATABASE_OBJECT_CHANGE_GROUPDATABASE_OBJECT_CHANGE_GROUP 针对数据库对象(如架构)执行 CREATE、ALTER 或 DROP 语句时将引发此事件。This event is raised when a CREATE, ALTER, or DROP statement is executed on database objects, such as schemas. 等效于 Audit Database Object Management Event ClassEquivalent to the Audit Database Object Management Event Class.
DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUPDATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP 数据库范围中的对象的所有者发生更改时将引发此事件。This event is raised when a change of owner for objects within database scope occurs. 等效于 Audit Database Object Take Ownership Event ClassEquivalent to the Audit Database Object Take Ownership Event Class.
DATABASE_OBJECT_PERMISSION_CHANGE_GROUPDATABASE_OBJECT_PERMISSION_CHANGE_GROUP 针对数据库对象(例如,程序集和架构)发出 GRANT、REVOKE 或 DENY 语句时将引发此事件。This event is raised when a GRANT, REVOKE, or DENY has been issued for database objects, such as assemblies and schemas. 等效于 Audit Database Object GDR Event ClassEquivalent to the Audit Database Object GDR Event Class.
DATABASE_OPERATION_GROUPDATABASE_OPERATION_GROUP 数据库中发生操作(如检查点或订阅查询通知)时将引发此事件。This event is raised when operations in a database, such as checkpoint or subscribe query notification, occur. 等效于 Audit Database Operation Event ClassEquivalent to the Audit Database Operation Event Class.
DATABASE_OWNERSHIP_CHANGE_GROUPDATABASE_OWNERSHIP_CHANGE_GROUP 使用 ALTER AUTHORIZATION 语句更改数据库的所有者时,将引发此事件,并将检查执行该操作所需的权限。This event is raised when you use the ALTER AUTHORIZATION statement to change the owner of a database, and the permissions that are required to do that are checked. 等效于 Audit Change Database Owner Event ClassEquivalent to the Audit Change Database Owner Event Class.
DATABASE_PERMISSION_CHANGE_GROUPDATABASE_PERMISSION_CHANGE_GROUP SQL ServerSQL Server 中的任何用户针对某语句权限发出 GRANT、REVOKE 或 DENY 语句时均将引发此事件(仅适用于数据库事件,例如授予对数据库的权限)。This event is raised whenever a GRANT, REVOKE, or DENY is issued for a statement permission by any user in SQL ServerSQL Server for database-only events such as granting permissions on a database. 等效于 Audit Database Scope GDR Event ClassEquivalent to the Audit Database Scope GDR Event Class.
DATABASE_PRINCIPAL_CHANGE_GROUPDATABASE_PRINCIPAL_CHANGE_GROUP 在数据库中创建、更改或删除主体(如用户)时,将引发此事件。This event is raised when principals, such as users, are created, altered, or dropped from a database. 等效于 Audit Database Principal Management Event ClassEquivalent to the Audit Database Principal Management Event Class. 还等效于 Audit Add DB User 事件类,该事件类针对不推荐使用的 sp_grantdbaccess、sp_revokedbaccess、sp_adduser 和 sp_dropuser 存储过程发生。Also equivalent to the Audit Add DB User Event Class, which occurs on deprecated sp_grantdbaccess, sp_revokedbaccess, sp_adduser, and sp_dropuser stored procedures.

使用不推荐使用的 sp_addrole 和 sp_droprole 存储过程添加或删除数据库角色时,将引发此事件。This event is raised whenever a database role is added to or removed using deprecated sp_addrole and sp_droprole stored procedures. 等效于 Audit Add Role 事件类Equivalent to the Audit Add Role Event Class.
DATABASE_PRINCIPAL_IMPERSONATION_GROUPDATABASE_PRINCIPAL_IMPERSONATION_GROUP 数据库范围内发生模拟(如 EXECUTE AS <用户>)时将引发此事件。This event is raised when there is an impersonation within database scope such as EXECUTE AS <user>. 等效于 Audit Database Principal Impersonation Event ClassEquivalent to the Audit Database Principal Impersonation Event Class.
DATABASE_ROLE_MEMBER_CHANGE_GROUPDATABASE_ROLE_MEMBER_CHANGE_GROUP 向数据库角色添加登录名或从中删除登录名时将引发此事件。This event is raised whenever a login is added to or removed from a database role. 此事件类与 sp_addrolemember、sp_changegroup 和 sp_droprolemember 存储过程一起使用。等效于 Audit Add Member to DB Role 事件类This event class is used with the sp_addrolemember, sp_changegroup, and sp_droprolemember stored procedures.Equivalent to the Audit Add Member to DB Role Event Class
DBCC_GROUPDBCC_GROUP 主体发出任何 DBCC 命令时,将引发此事件。This event is raised whenever a principal issues any DBCC command. 等效于 Audit DBCC Event ClassEquivalent to the Audit DBCC Event Class.
FAILED_DATABASE_AUTHENTICATION_GROUPFAILED_DATABASE_AUTHENTICATION_GROUP 指示某个主体尝试登录到包含数据库并且失败。Indicates that a principal tried to log on to a contained database and failed. 此类中的事件由新连接引发或由连接池中重用的连接引发。Events in this class are raised by new connections or by connections that are reused from a connection pool. 引发此事件。This event is raised.
SCHEMA_OBJECT_ACCESS_GROUPSCHEMA_OBJECT_ACCESS_GROUP 每次在架构中使用对象权限时,都将引发此事件。This event is raised whenever an object permission has been used in the schema. 等效于 Audit Schema Object Access Event ClassEquivalent to the Audit Schema Object Access Event Class.
SCHEMA_OBJECT_CHANGE_GROUPSCHEMA_OBJECT_CHANGE_GROUP 针对架构执行 CREATE、ALTER 或 DROP 操作时将引发此事件。This event is raised when a CREATE, ALTER, or DROP operation is performed on a schema. 等效于 Audit Schema Object Management Event ClassEquivalent to the Audit Schema Object Management Event Class.

此事件针对架构对象引发。This event is raised on schema objects. 等效于 Audit Object Derived Permission Event ClassEquivalent to the Audit Object Derived Permission Event Class. 还等效于 Audit Statement Permission Event ClassAlso equivalent to the Audit Statement Permission Event Class.
SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUPSCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP 检查更改架构对象(例如表、过程或函数)的所有者的权限时,将引发此事件。This event is raised when the permissions to change the owner of schema object such as a table, procedure, or function is checked. 使用 ALTER AUTHORIZATION 语句指定对象所有者时会引发此事件。This occurs when the ALTER AUTHORIZATION statement is used to assign an owner to an object. 等效于 Audit Schema Object Take Ownership Event ClassEquivalent to the Audit Schema Object Take Ownership Event Class.
SCHEMA_OBJECT_PERMISSION_CHANGE_GROUPSCHEMA_OBJECT_PERMISSION_CHANGE_GROUP 每次对架构对象发出 GRANT、DENY 或 REVOKE 时,均会引发此事件。This event is raised whenever a grant, deny, or revoke is issued for a schema object. 等效于 Audit Schema Object GDR Event ClassEquivalent to the Audit Schema Object GDR Event Class.
SUCCESSFUL_DATABASE_AUTHENTICATION_GROUPSUCCESSFUL_DATABASE_AUTHENTICATION_GROUP 指示主体已成功登录到包含数据库。Indicates that a principal successfully logged in to a contained database.
USER_CHANGE_PASSWORD_GROUPUSER_CHANGE_PASSWORD_GROUP 每当使用 ALTER USER 语句更改包含数据库用户的密码时,都会引发此事件。This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement.
USER_DEFINED_AUDIT_GROUPUSER_DEFINED_AUDIT_GROUP 此组监视器事件通过使用 sp_audit_write (Transact-SQL) 引发。This group monitors events raised by using sp_audit_write (Transact-SQL).

数据库级别审核操作Database-Level Audit Actions

数据库级别的操作支持直接对数据库架构以及架构对象(例如表、视图、存储过程、函数、扩展存储过程、队列、同义词)进行的特定操作进行审核。Database-level actions support the auditing of specific actions directly on database schema and schema objects, such as Tables, Views, Stored Procedures, Functions, Extended Stored Procedures, Queues, Synonyms. 不审核类型、XML 架构集合、数据库和架构。Types, XML Schema Collection, Database, and Schema are not audited. 架构对象的审核可以在架构和数据库上配置,这意味着指定架构或数据库包含的所有架构对象上的事件都将被审核。The audit of schema objects may be configured on Schema and Database, which means that events on all schema objects contained by the specified schema or database will be audited. 下表介绍了数据库级别的审核操作。The following table describes database-level audit actions.

操作Action 描述Description
SELECTSELECT 发出 SELECT 语句时将引发此事件。This event is raised whenever a SELECT is issued.
UPDATEUPDATE 发出 UPDATE 语句时将引发此事件。This event is raised whenever an UPDATE is issued.
InsertINSERT 发出 INSERT 语句时将引发此事件。This event is raised whenever an INSERT is issued.
删除DELETE 发出 DELETE 语句时将引发此事件。This event is raised whenever a DELETE is issued.
在运行 CREATE 语句前执行EXECUTE 发出 EXECUTE 语句时将引发此事件。This event is raised whenever an EXECUTE is issued.
RECEIVERECEIVE 发出 RECEIVE 语句时将引发此事件。This event is raised whenever a RECEIVE is issued.
REFERENCESREFERENCES 检查 REFERENCES 权限时将引发此事件。This event is raised whenever a REFERENCES permission is checked.

注意事项Considerations

  • 数据库级别的审核操作不适用于列。Database-level audit actions do not apply to Columns.

  • 当查询处理器对查询进行参数化时,审核事件日志中会出现参数而不是查询的列值。When the query processor parameterizes the query, the parameter can appear in the audit event log instead of the column values of the query.

  • 不会记录 RPC 语句。RPC statements are not logged.

审核级别的审核操作组Audit-Level Audit Action Groups

您也可以对审核过程中的操作进行审核。You can also audit the actions in the auditing process. 这些操作可以是服务器范围或数据库范围的操作。This can be in the server scope or the database scope. 如果在数据库范围内,则仅针对数据库审核规范而进行。In the database scope, it only occurs for database audit specifications. 下表介绍了审核级别的审核操作组。The following table describes audit-level audit action groups.

操作组名称Action group name 描述Description
AUDIT_CHANGE_GROUPAUDIT_CHANGE_GROUP 发出以下命令之一时将引发此事件:This event is raised whenever one of the following commands are issued:

CREATE SERVER AUDITCREATE SERVER AUDIT

ALTER SERVER AUDITALTER SERVER AUDIT

DROP SERVER AUDITDROP SERVER AUDIT

CREATE SERVER AUDIT SPECIFICATIONCREATE SERVER AUDIT SPECIFICATION

ALTER SERVER AUDIT SPECIFICATIONALTER SERVER AUDIT SPECIFICATION

DROP SERVER AUDIT SPECIFICATIONDROP SERVER AUDIT SPECIFICATION

CREATE DATABASE AUDIT SPECIFICATIONCREATE DATABASE AUDIT SPECIFICATION

ALTER DATABASE AUDIT SPECIFICATIONALTER DATABASE AUDIT SPECIFICATION

DROP DATABASE AUDIT SPECIFICATIONDROP DATABASE AUDIT SPECIFICATION

创建服务器审核和服务器审核规范Create a Server Audit and Server Audit Specification

创建服务器审核规范和数据库审核规范Create a Server Audit and Database Audit Specification

CREATE SERVER AUDIT (Transact-SQL)CREATE SERVER AUDIT (Transact-SQL)

ALTER SERVER AUDIT (Transact-SQL)ALTER SERVER AUDIT (Transact-SQL)

DROP SERVER AUDIT (Transact-SQL)DROP SERVER AUDIT (Transact-SQL)

CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)

ALTER SERVER AUDIT SPECIFICATION (Transact-SQL)ALTER SERVER AUDIT SPECIFICATION (Transact-SQL)

DROP SERVER AUDIT SPECIFICATION (Transact-SQL)DROP SERVER AUDIT SPECIFICATION (Transact-SQL)

CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)

ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL)ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL)

DROP DATABASE AUDIT SPECIFICATION (Transact-SQL)DROP DATABASE AUDIT SPECIFICATION (Transact-SQL)

ALTER AUTHORIZATION (Transact-SQL)ALTER AUTHORIZATION (Transact-SQL)

sys.fn_get_audit_file (Transact-SQL)sys.fn_get_audit_file (Transact-SQL)

sys.server_audits (Transact-SQL)sys.server_audits (Transact-SQL)

sys.server_file_audits (Transact-SQL)sys.server_file_audits (Transact-SQL)

sys.server_audit_specifications (Transact-SQL)sys.server_audit_specifications (Transact-SQL)

sys.server_audit_specification_details (Transact-SQL)sys.server_audit_specification_details (Transact-SQL)

sys.database_audit_specifications (Transact-SQL)sys.database_audit_specifications (Transact-SQL)

sys.database_audit_specification_details (Transact-SQL)sys.database_audit_specification_details (Transact-SQL)

sys.dm_server_audit_status (Transact-SQL)sys.dm_server_audit_status (Transact-SQL)

sys.dm_audit_actions (Transact-SQL)sys.dm_audit_actions (Transact-SQL)

sys.dm_audit_class_type_map (Transact-SQL)sys.dm_audit_class_type_map (Transact-SQL)