SQL Server 审核(数据库引擎)SQL Server Audit (Database Engine)

适用于:Applies to: 是SQL ServerSQL Server(所有支持的版本)yesSQL ServerSQL Server (all supported versions) 是Azure SQL 托管实例Azure SQL Managed InstanceYesAzure SQL 托管实例Azure SQL Managed Instance适用于:Applies to: 是SQL ServerSQL Server(所有支持的版本)yesSQL ServerSQL Server (all supported versions) 是Azure SQL 托管实例Azure SQL Managed InstanceYesAzure SQL 托管实例Azure SQL Managed Instance

“审核”SQL Server 数据库引擎SQL Server Database Engine 实例或单独的数据库涉及到 数据库引擎Database Engine 中发生的跟踪和记录事件。Auditing an instance of the SQL Server 数据库引擎SQL Server Database Engine or an individual database involves tracking and logging events that occur on the 数据库引擎Database Engine. 通过SQL ServerSQL Server 审核,您可以创建服务器审核,其中可以包含针对服务器级别事件的服务器审核规范和针对数据库级别事件的数据库审核规范。SQL ServerSQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. 可将审核的事件写入事件日志或审核文件。Audited events can be written to the event logs or to audit files.

重要

Azure SQL 托管实例上,此 T-SQL 功能对行为进行了一些更改。On Azure SQL Managed Instance, this T-SQL feature has certain behavior changes. 要详细了解所有 T-SQL 行为变更,请参阅 Azure SQL 托管实例与 SQL Server 之间的 T-SQL 差异See Azure SQL Managed Instance T-SQL differences from SQL Server for details for all T-SQL behavior changes.

SQL ServerSQL Server的审核级别有若干种,具体取决于您的安装的政府要求或标准要求。There are several levels of auditing for SQL ServerSQL Server, depending on government or standards requirements for your installation. SQL ServerSQL Server 审核提供若干必需的工具和进程,用于启用、存储和查看对各个服务器和数据库对象的审核。Audit provides the tools and processes you must have to enable, store, and view audits on various server and database objects.

您可以记录每个实例的服务器审核操作组,或记录每个数据库的数据库审核操作组或数据库审核操作。You can record server audit action groups per-instance, and either database audit action groups or database audit actions per database. 在每次遇到可审核操作时,都将发生审核事件。The audit event will occur every time that the auditable action is encountered.

SQL ServerSQL Server 的所有版本均支持服务器级审核。All editions of SQL ServerSQL Server support server level audits. SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP1 开始,所有版本都支持数据库级审核。All editions support database level audits beginning with SQL Server 2016 (13.x)SQL Server 2016 (13.x) SP1. 在此之前,数据库级审核限制为 Enterprise、Developer 和 Evaluation 版本。Prior to that, database level auditing was limited to Enterprise, Developer, and Evaluation editions. 有关详细信息,请参阅 SQL Server 2016 各个版本支持的功能For more information, see Features Supported by the Editions of SQL Server 2016.

备注

本 主题适用于 SQL ServerSQL ServerThis topic applies to SQL ServerSQL Server. 有关 SQL 数据库SQL Database的信息,请参阅 Get started with SQL database auditing(SQL 数据库审核入门)For SQL 数据库SQL Database, see Get started with SQL database auditing.

SQL Server 审核组件SQL Server Audit Components

“审核”是将若干元素组合到一个包中,用于执行一组特定服务器操作或数据库操作。An audit is the combination of several elements into a single package for a specific group of server actions or database actions. SQL ServerSQL Server 审核的组件组合生成的输出就称为审核,就如同报表定义与图形和数据元素组合生成报表一样。The components of SQL ServerSQL Server audit combine to produce an output that is called an audit, just as a report definition combined with graphics and data elements produces a report.

SQL ServerSQL Server 审核使用“扩展事件” 以帮助创建审核。audit uses Extended Events to help create an audit. 有关扩展事件的详细信息,请参阅 扩展事件For more information about Extended Events, see Extended Events.

SQL Server 审核SQL Server Audit

“SQL Server 审核” 对象收集单个服务器实例或数据库级操作和操作组以进行监视。The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. 这种审核处于 SQL ServerSQL Server 实例级别。The audit is at the SQL ServerSQL Server instance level. 每个 SQL ServerSQL Server 实例可以具有多个审核。You can have multiple audits per SQL ServerSQL Server instance.

定义审核时,将指定结果的输出位置。When you define an audit, you specify the location for the output of the results. 这是审核的目标位置。This is the audit destination. 审核是在 禁用 状态下创建的,因此不会自动审核任何操作。The audit is created in a disabled state, and does not automatically audit any actions. 启用审核后,审核目标将从审核接收数据。After the audit is enabled, the audit destination receives data from the audit.

服务器审核规范Server Audit Specification

“服务器审核规范” 对象属于审核。The Server Audit Specification object belongs to an audit. 您可以为每个审核创建一个服务器审核规范,因为它们都是在 SQL ServerSQL Server 实例范围内创建的。You can create one server audit specification per audit, because both are created at the SQL ServerSQL Server instance scope.

服务器审核规范可收集许多由扩展事件功能引发的服务器级操作组。The server audit specification collects many server-level action groups raised by the Extended Events feature. 您可以在服务器审核规范中包括“审核操作组” 。You can include audit action groups in a server audit specification. 审核操作组是预定义的操作组,它们是 数据库引擎Database Engine中发生的原子事件。Audit action groups are predefined groups of actions, which are atomic events occurring in the 数据库引擎Database Engine. 这些操作将发送到审核,审核将它们记录到目标中。These actions are sent to the audit, which records them in the target.

SQL Server 审核操作组和操作主题介绍了服务器级别审核操作组。Server-level audit action groups are described in the topic SQL Server Audit Action Groups and Actions.

数据库审核规范Database Audit Specification

“数据库审核规范” 对象也属于 SQL ServerSQL Server 审核。The Database Audit Specification object also belongs to a SQL ServerSQL Server audit. 针对每个审核,您可以为每个 SQL ServerSQL Server 数据库创建一个数据库审核规范。You can create one database audit specification per SQL ServerSQL Server database per audit.

数据库审核规范可收集由扩展事件功能引发的数据库级审核操作。The database audit specification collects database-level audit actions raised by the Extended Events feature. 你可以向数据库审核规范添加审核操作组或审核事件。You can add either audit action groups or audit events to a database audit specification. 审核事件 是可以由 SQL ServerSQL Server 引擎审核的原子操作。Audit events are the atomic actions that can be audited by the SQL ServerSQL Server engine. “审核操作组”是预定义的操作组。Audit action groups are predefined groups of actions. 它们都位于 SQL ServerSQL Server 数据库作用域。Both are at the SQL ServerSQL Server database scope. 这些操作将发送到审核,审核将它们记录到目标中。These actions are sent to the audit, which records them in the target. 在用户数据库审核规范中不要包括服务器范围的对象,例如系统视图。Do not include server-scoped objects, such as the system views, in a user database audit specification.

SQL Server 审核操作组和操作主题介绍了数据库级别的审核操作组和审核操作。Database-level audit action groups and audit actions are described in the topic SQL Server Audit Action Groups and Actions.

目标Target

审核结果将发送到目标,目标可以是文件、Windows 安全事件日志或 Windows 应用程序事件日志。The results of an audit are sent to a target, which can be a file, the Windows Security event log, or the Windows Application event log. 必须定期查看和归档这些日志,以确保目标具有足够的空间来写入更多记录。Logs must be reviewed and archived periodically to make sure that the target has sufficient space to write additional records.

重要

任何经过身份验证的用户可以读取和写入到 Windows 应用程序事件日志。Any authenticated user can read and write to the Windows Application event log. 应用程序事件日志要求的权限比 Windows 安全事件日志低,安全性低于 Windows 安全事件日志。The Application event log requires lower permissions than the Windows Security event log and is less secure than the Windows Security event log.

必须将 SQL ServerSQL Server 服务帐户应添加到 生成安全审核 策略中才能写入 Windows 安全日志。Writing to the Windows Security log requires the SQL ServerSQL Server service account to be added to the Generate security audits policy. 默认情况下,本地系统、本地服务和网络服务都是此策略的一部分。By default, the Local System, Local Service, and Network Service are part of this policy. 此设置可通过使用安全策略管理单元 (secpol.msc) 配置。This setting can be configured by using the security policy snap-in (secpol.msc). 此外,对于“成功” 和“失败” 均必须启用“审核对象访问” 安全策略。Additionally, the Audit object access security policy must be enabled for both Success and Failure. 此设置可通过使用安全策略管理单元 (secpol.msc) 配置。This setting can be configured by using the security policy snap-in (secpol.msc). Windows VistaWindows Vista 或 Windows Server 2008 中,可通过使用审核策略程序 ( AuditPol.exe) 从命令行设置更详细的应用程序生成策略。In Windows VistaWindows Vista or Windows Server 2008, you can set the more granular application generated policy from the command line by using the audit policy program (AuditPol.exe). 有关启用 Windows 安全日志写入的步骤的详细信息,请参阅 将 SQL Server 审核事件写入安全日志For more information about the steps to enable writing to the Windows Security log, see Write SQL Server Audit Events to the Security Log. 有关 Auditpol.exe 程序的详细信息,请参阅知识库文章 921469 如何使用组策略配置详细的安全审核设置For more information about the Auditpol.exe program, see Knowledge Base article 921469, How to use Group Policy to configure detailed security auditing. Windows 事件日志对于 Windows 操作系统具有全局性。The Windows event logs are global to the Windows operating system. 有关 Windows 事件日志的详细信息,请参阅 事件查看器概述For more information about the Windows event logs, see Event Viewer Overview. 如果需要关于审核的更精准权限,请使用二进制文件目标。If you need more precise permissions on the audit, use the binary file target.

在您将审核信息保存到某一文件时,为了帮助避免被篡改,可以通过以下方式限制对文件位置的访问:When you are saving audit information to a file, to help prevent tampering, you can restrict access to the file location in the following ways:

  • SQL ServerSQL Server 服务帐户必须同时具有读取和写入权限。The SQL ServerSQL Server Service Account must have both Read and Write permission.

  • 审核管理员通常需要读取和写入权限。Audit Administrators typically require Read and Write permission. 这就假设审核管理员是 Windows 帐户,可以管理审核文件(例如,将审核文件复制到其他共享、备份这些文件等等)。This assumes that the Audit Administrators are Windows accounts for administration of audit files, such as: copying them to different shares, backing them up, and so on.

  • 获得授权可读取审核文件的审核读取者必须具有读取权限。Audit Readers that are authorized to read audit files must have Read permission.

甚至当 数据库引擎Database Engine 正在写入某个文件时,其他 Windows 用户如果具有权限,也可以读取该审核文件。Even when the 数据库引擎Database Engine is writing to a file, other Windows users can read the audit file if they have permission. 数据库引擎Database Engine 并未采用排他锁来防止读取操作。The 数据库引擎Database Engine does not take an exclusive lock that prevents read operations.

因为 数据库引擎Database Engine 可以访问文件,所以,具有 CONTROL SERVER 权限的 SQL ServerSQL Server 登录名可以使用 数据库引擎Database Engine 来访问审核文件。Because the 数据库引擎Database Engine can access the file, SQL ServerSQL Server logins that have CONTROL SERVER permission can use the 数据库引擎Database Engine to access the audit files. 若要记录任何正在读取审核文件的用户,请在 master.sys.fn_get_audit_file 中定义审核。To record any user that is reading the audit file, define an audit on master.sys.fn_get_audit_file. 这将记录具有 CONTROL SERVER 权限且已通过 SQL ServerSQL Server访问审核文件的登录名。This records the logins with CONTROL SERVER permission that have accessed the audit file through SQL ServerSQL Server.

如果审核管理员将文件复制到其他位置(用于存档等),新位置的 ACL 应降至以下权限:If an Audit Administrator copies the file to a different location (for archive purposes, and so on), the ACLs on the new location should be reduced to the following permissions:

  • 审核管理员 - 读/写Audit Administrator - Read / Write

  • 审核读取者 - 读Audit Reader - Read

建议您从 SQL ServerSQL Server的单独实例(例如, SQL Server ExpressSQL Server Express的单独实例)生成审核报告(如果只有审核管理员或审核读取者可以访问此实例)。We recommend that you generate audit reports from a separate instance of SQL ServerSQL Server, such as an instance of SQL Server ExpressSQL Server Express, to which only Audit Administrators or Audit Readers have access. 通过使用 数据库引擎Database Engine 的单独实例进行报告,可以帮助防止未获授权的用户访问审核记录。By using a separate instance of the 数据库引擎Database Engine for reporting, you can help prevent unauthorized users from obtaining access to the audit record.

可以通过使用 Windows BitLocker 数据加密或 Windows 加密文件系统对存储审核文件的文件夹进行加密,从而提供附加保护机制来防止未授权访问。You can offer additional protection against unauthorized access by encrypting the folder in which the audit file is stored by using Windows BitLocker Drive Encryption or Windows Encrypting File System.

有关写入目标的审核记录的详细信息,请参阅 SQL Server Audit RecordsFor more information about the audit records that are written to the target, see SQL Server Audit Records.

使用 SQL Server 审核概述Overview of Using SQL Server Audit

可以使用 SQL Server Management StudioSQL Server Management StudioTransact-SQLTransact-SQL 定义审核。You can use SQL Server Management StudioSQL Server Management Studio or Transact-SQLTransact-SQL to define an audit. 在创建并启用审核后,目标将接收各项。After the audit is created and enabled, the target will receive entries.

您可以使用 Windows 中的 “事件查看器” 实用工具来读取 Windows 事件。You can read the Windows event logs by using the Event Viewer utility in Windows. 对于文件目标,你可以使用 中的“日志文件查看器” SQL Server Management StudioSQL Server Management Studiofn_get_audit_file 函数来读取目标文件。For file targets, you can use either the Log File Viewer in SQL Server Management StudioSQL Server Management Studio or the fn_get_audit_file function to read the target file.

以下是创建和使用审核的一般过程。The general process for creating and using an audit is as follows.

  1. 创建审核并定义目标。Create an audit and define the target.

  2. 创建映射到审核的服务器审核规范或数据库审核规范。Create either a server audit specification or database audit specification that maps to the audit. 启用审核规范。Enable the audit specification.

  3. 启用审核。Enable the audit.

  4. 通过使用 Windows“事件查看器” 、“日志文件查看器” 或 fn_get_audit_file 函数来读取审核事件。Read the audit events by using the Windows Event Viewer, Log File Viewer, or the fn_get_audit_file function.

有关详细信息,请参阅 创建服务器审核和服务器审核规范创建服务器审核和数据库审核规范For more information, see Create a Server Audit and Server Audit Specification and Create a Server Audit and Database Audit Specification.

注意事项Considerations

如果在启动审核期间出现问题,则服务器将不会启动。In the case of a failure during audit initiation, the server will not start. 在这种情况下,可以在命令行中使用 -f 选项来启动服务器。In this case, the server can be started by using the -f option at the command line.

如果由于为审核指定了 ON_FAILURE=SHUTDOWN 而使得审核失败导致服务器关闭或不启动,则 MSG_AUDIT_FORCED_SHUTDOWN 事件将写入日志。When an audit failure causes the server to shut down or not to start because ON_FAILURE=SHUTDOWN is specified for the audit, the MSG_AUDIT_FORCED_SHUTDOWN event will be written to the log. 由于在第一次遇到此设置时将出现关机,此事件将写入一次。Because the shutdown will occur on the first encounter of this setting, the event will be written one time. 在出现有关审核导致关闭的失败消息后,将写入此事件。This event is written after the failure message for the audit causing the shutdown. 管理员可以使用 -m 标志以单用户模式启动 SQL ServerSQL Server,从而绕过审核引起的关闭。An administrator can bypass audit-induced shutdowns by starting SQL ServerSQL Server in Single User mode using the -m flag. 如果在单用户模式下启动,则会将指定了 ON_FAILURE=SHUTDOWN 的任何审核降级为在相应会话中以 ON_FAILURE=CONTINUE 运行。If you start in Single User mode, you will downgrade any audit where ON_FAILURE=SHUTDOWN is specified to run in that session as ON_FAILURE=CONTINUE. 使用 -m 标志启动 SQL ServerSQL Server 时,MSG_AUDIT_SHUTDOWN_BYPASSED 消息将写入错误日志。When SQL ServerSQL Server is started by using the -m flag, the MSG_AUDIT_SHUTDOWN_BYPASSED message will be written to the error log.

有关服务启动选项的详细信息,请参阅 数据库引擎服务启动选项For more information about service startup options, see Database Engine Service Startup Options.

将数据库附加到已定义的审核Attaching a Database with an Audit Defined

如果附加的数据库具有审核规范并且指定的 GUID 在服务器上不存在,则将导致“ 孤立”审核规范。Attaching a database that has an audit specification and specifies a GUID that does not exist on the server will cause an orphaned audit specification. 因为服务器实例上不存在具有匹配 GUID 的审核,所以将不记录审核事件。Because an audit with a matching GUID does not exist on the server instance, no audit events will be recorded. 若要更正此情况,请使用 ALTER DATABASE AUDIT SPECIFICATION 命令将孤立审核规范连接到现有服务器审核。To correct this situation, use the ALTER DATABASE AUDIT SPECIFICATION command to connect the orphaned audit specification to an existing server audit. 或者,使用 CREATE SERVER AUDIT 命令创建一个具有指定 GUID 的新服务器审核。Or, use the CREATE SERVER AUDIT command to create a new server audit with the specified GUID.

您可以将定义了审核规范的数据库连接到不支持 SQL ServerSQL Server 审核的另一 SQL ServerSQL Server 版本,如 SQL Server ExpressSQL Server Express ,但它不会记录审核事件。You can attach a database that has an audit specification defined on it to another edition of SQL ServerSQL Server that does not support SQL ServerSQL Server audit, such as SQL Server ExpressSQL Server Express but it will not record audit events.

数据库镜像和 SQL Server 审核Database Mirroring and SQL Server Audit

已定义了数据库审核规范并使用数据库镜像的数据库将包括此数据库审核规范。A database that has a database audit specification defined and that uses database mirroring will include the database audit specification. 若要对已镜像的 SQL 实例进行正确的处理,必须配置下列项:To work correctly on the mirrored SQL instance, the following items must be configured:

  • 镜像服务器必须拥有具有相同 GUID 的审核才能使数据库审核规范能够写入审核记录。The mirror server must have an audit with the same GUID to enable the database audit specification to write audit records. 这可以通过使用命令 CREATE AUDIT WITH GUID = <GUID from source Server Audit> 进行配置。This can be configured by using the command CREATE AUDIT WITH GUID =<GUID from source Server Audit>.

  • 对于二进制文件目标,镜像服务器服务帐户对要写入审核记录的位置必须具有相应的权限。For binary file targets, the mirror server service account must have appropriate permissions to the location where the audit trail is being written.

  • 对于 Windows 事件日志目标,镜像服务器所在计算机上的安全策略必须允许服务帐户访问安全事件日志或应用程序事件日志。For Windows event log targets, the security policy on the computer where the mirror server is located must allow for service account access to the security or application event log.

审核管理员Auditing Administrators

sysadmin 固定服务器角色的成员在每个数据库中均标识为 dbo 用户。Members of the sysadmin fixed server role are identified as the dbo user in each database. 若要审核管理员的操作,请审核 dbo 用户的操作。To audit actions of the administrators, audit the actions of the dbo user.

使用 Transact-SQL 创建和管理审核Creating and Managing Audits with Transact-SQL

可以使用 DDL 语句、动态管理视图和函数以及目录视图来实现 SQL ServerSQL Server 审核的所有方面。You can use DDL statements, dynamic management views and functions, and catalog views to implement all aspects of SQL ServerSQL Server Audit.

数据定义语言语句Data Definition Language Statements

可以使用下列 DDL 语句创建、更改和删除审核规范:You can use the following DDL statements to create, alter, and drop audit specifications:

DDL 语句DDL statements 说明Description
ALTER AUTHORIZATIONALTER AUTHORIZATION 更改安全对象的所有权。Changes the ownership of a securable.
ALTER DATABASE AUDIT SPECIFICATIONALTER DATABASE AUDIT SPECIFICATION 使用 SQL Server 审核功能更改数据库审核规范对象。Alters a database audit specification object using the SQL Server Audit feature.
ALTER SERVER AUDITALTER SERVER AUDIT 使用 SQL Server 审核功能更改服务器审核对象。Alters a server audit object using the SQL Server Audit feature.
ALTER SERVER AUDIT SPECIFICATIONALTER SERVER AUDIT SPECIFICATION 使用 SQL Server 审核功能更改服务器审核规范对象。Alters a server audit specification object using the SQL Server Audit feature.
CREATE DATABASE AUDIT SPECIFICATIONCREATE DATABASE AUDIT SPECIFICATION 使用 SQL Server 审核功能创建数据库审核规范对象。Creates a database audit specification object using the SQL Server audit feature.
CREATE SERVER AUDITCREATE SERVER AUDIT 使用 SQL Server 审核创建服务器审核对象。Creates a server audit object using SQL Server Audit.
CREATE SERVER AUDIT SPECIFICATIONCREATE SERVER AUDIT SPECIFICATION 使用 SQL Server 审核功能创建服务器审核规范对象。Creates a server audit specification object using the SQL Server Audit feature.
DROP DATABASE AUDIT SPECIFICATIONDROP DATABASE AUDIT SPECIFICATION 使用 SQL Server 审核功能删除数据库审核规范对象。Drops a database audit specification object using the SQL Server Audit feature.
DROP SERVER AUDITDROP SERVER AUDIT 使用 SQL Server Audit 功能删除服务器审核对象。Drops a Server Audit Object using the SQL Server Audit feature.
DROP SERVER AUDIT SPECIFICATIONDROP SERVER AUDIT SPECIFICATION 使用 SQL Server 审核功能删除服务器审核规范对象。Drops a server audit specification object using the SQL Server Audit feature.

动态视图和函数Dynamic Views and Functions

下表列出了可用于 SQL ServerSQL Server 审核的动态视图和函数。The following table lists the dynamic views and function that you can use for SQL ServerSQL Server Auditing.

动态视图和函数Dynamic views and functions 说明Description
sys.dm_audit_actionssys.dm_audit_actions 为可在审核日志中报告的每项审核操作以及可配置为 SQL ServerSQL Server Audit 一部分的每个审核操作组返回一行。Returns a row for every audit action that can be reported in the audit log and every audit action group that can be configured as part of SQL ServerSQL Server Audit.
sys.dm_server_audit_statussys.dm_server_audit_status 提供有关当前审核状态的信息。Provides information about the current state of the audit.
sys.dm_audit_class_type_mapsys.dm_audit_class_type_map 返回一个表,将审核日志中的 class_type 字段映射到 sys.dm_audit_actions 中的 class_desc 字段。Returns a table that maps the class_type field in the audit log to the class_desc field in sys.dm_audit_actions.
fn_get_audit_filefn_get_audit_file 从由服务器审核创建的审核文件返回信息。Returns information from an audit file created by a server audit.

目录视图Catalog Views

下表列出了可用于 SQL ServerSQL Server 审核的目录视图。The following table lists the catalog views that you can use for SQL ServerSQL Server auditing.

目录视图Catalog views 说明Description
sys.database_audit_specificationssys.database_audit_specifications 包含服务器实例上的 SQL ServerSQL Server 审核中的数据库审核规范的相关信息。Contains information about the database audit specifications in a SQL ServerSQL Server audit on a server instance.
sys.database_audit_specification_detailssys.database_audit_specification_details 包含所有数据库的服务器实例上 SQL ServerSQL Server 审核中的数据库审核规范的相关信息。Contains information about the database audit specifications in a SQL ServerSQL Server audit on a server instance for all databases.
sys.server_auditssys.server_audits 服务器实例中每个 SQL ServerSQL Server 审核都各占一行。Contains one row for each SQL ServerSQL Server audit in a server instance.
sys.server_audit_specificationssys.server_audit_specifications 包含有关服务器实例上 SQL ServerSQL Server 审核中的服务器审核规范的信息。Contains information about the server audit specifications in a SQL ServerSQL Server audit on a server instance.
sys.server_audit_specifications_detailssys.server_audit_specifications_details 包含服务器实例上的 SQL ServerSQL Server 审核中的服务器审核规范详细信息(操作)的相关信息。Contains information about the server audit specification details (actions) in a SQL ServerSQL Server audit on a server instance.
sys.server_file_auditssys.server_file_audits 包含有关服务器实例上 SQL ServerSQL Server 审核中的文件审核类型的存储扩展信息。Contains stores extended information about the file audit type in a SQL ServerSQL Server audit on a server instance.

权限Permissions

SQL ServerSQL Server Audit 的每一个功能和命令都有其独特的权限需求。Each feature and command for SQL ServerSQL Server Audit has individual permission requirements.

若要创建、更改或删除服务器审核或服务器审核规范,服务器主体要求具有 ALTER ANY SERVER AUDIT 或 CONTROL SERVER 权限。To create, alter, or drop a Server Audit or Server Audit Specification, server principals require the ALTER ANY SERVER AUDIT or the CONTROL SERVER permission. 若要创建、更改或删除数据库审核规范,数据库主体必须具有 ALTER ANY DATABASE AUDIT 权限或针对该数据库的 ALTER 或 CONTROL 权限。To create, alter, or drop a Database Audit Specification, database principals require the ALTER ANY DATABASE AUDIT permission or the ALTER or CONTROL permission on the database. 此外,主题还必须具有连接到数据库的权限或者具有 ALTER ANY SERVER AUDIT 或 CONTROL SERVER 权限。In addition, principals must have permission to connect to the database, or ALTER ANY SERVER AUDIT or CONTROL SERVER permissions.

拥有 VIEW ANY DEFINITION 权限,可有权查看服务器级别审核视图;拥有 VIEW DEFINITION 权限,可有权查看数据库级别审核视图。The VIEW ANY DEFINITION permission provides access to view the server level audit views and VIEW DEFINITION provides access to view the database level audit views. 拒绝这些权限,则无法查看目录视图,即使主体拥有 ALTER ANY SERVER AUDIT 或 ALTER ANY DATABASE AUDIT 权限,也是如此。Denial of these permissions, overrides the ability to view the catalog views, even if the principal has the ALTER ANY SERVER AUDIT or ALTER ANY DATABASE AUDIT permissions.

有关如何授予权限的详细信息,请参阅GRANT(Transact-SQL)For more information about how to grant rights and permissions, see GRANT (Transact-SQL).

注意

具有 sysadmin 角色的主体可以篡改任意审核组件;具有 db_owner 角色的主体可以篡改数据库中的审核规范。Principals in the sysadmin role can tamper with any audit component and those in the db_owner role can tamper with audit specifications in a database. SQL ServerSQL Server Audit 将验证将创建或更改审核规范的登录帐户是否至少具有 ALTER ANY DATABASE AUDIT 权限。Audit will validate that a logon that creates or alters an audit specification has at least the ALTER ANY DATABASE AUDIT permission. 但是,它不会在您附加数据库时进行验证。However, it does no validation when you attach a database. 您应假定所有的数据库审核规范的可信度只是相当于具有 sysadmin 或 db_owner 角色的主体。You should assume all Database Audit Specifications are only as trustworthy as those principals in the sysadmin or db_owner role.

创建服务器审核和服务器审核规范Create a Server Audit and Server Audit Specification

创建服务器审核和数据库审核规范Create a Server Audit and Database Audit Specification

查看 SQL Server 审核日志View a SQL Server Audit Log

将 SQL Server 审核事件写入安全日志Write SQL Server Audit Events to the Security Log

服务器属性(“安全性”页)Server Properties (Security Page)
介绍如何为 SQL ServerSQL Server启用登录审核。Explains how to turn on login auditing for SQL ServerSQL Server. 审核记录存储在 Windows 应用程序日志中。The audit records are stored in the Windows application log.

c2 审核模式服务器配置选项c2 audit mode Server Configuration Option
介绍 SQL ServerSQL Server中的 C2 符合安全标准审核模式。Explains the C2 security compliance auditing mode in SQL ServerSQL Server.

安全审核事件类别 (SQL Server Profiler)Security Audit Event Category (SQL Server Profiler)
介绍您可以在 SQL Server ProfilerSQL Server Profiler中使用的审核事件。Explains the audit events you can use in SQL Server ProfilerSQL Server Profiler. 有关详细信息,请参阅 SQL Server ProfilerFor more information, see SQL Server Profiler.

SQL 跟踪SQL Trace
介绍如何使用 SQL 跟踪(而不使用 SQL ServerSQL Server 事件探查器)从你自己的应用程序中手动创建跟踪。Explains how SQL Trace can be used from within your own applications to create traces manually, instead of using SQL ServerSQL Server Profiler.

DDL 触发器DDL Triggers
介绍如何使用数据定义语言 (DDL) 触发器来跟踪对数据库的更改。Explains how you can use Data Definition Language (DDL) triggers to track changes to your databases.

Microsoft TechNet:SQL Server 技术中心:SQL Server 2005 安全性和保护Microsoft TechNet: SQL Server TechCenter: SQL Server 2005 Security and Protection
提供有关 SQL ServerSQL Server 安全性的最新信息。Provides up-to-date information about SQL ServerSQL Server security.

另请参阅See Also

SQL Server 审核操作组和操作 SQL Server Audit Action Groups and Actions
SQL Server 审核记录SQL Server Audit Records