開始使用 SQL Database 稽核Get started with SQL database auditing

稽核 Azure SQL DatabaseSQL 資料倉儲,可追蹤資料庫事件並將事件寫入 Azure 儲存體帳戶、OMS 工作區或事件中樞的稽核記錄。Auditing for Azure SQL Database and SQL Data Warehouse tracks database events and writes them to an audit log in your Azure storage account, OMS workspace or Event Hubs. 稽核也具備下列功能:Auditing also:

  • 協助您保持法規遵循、了解資料庫活動,以及深入了解可指出商務考量或疑似安全違規的不一致和異常。Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

  • 啟用及推動遵循法規標準,但不保證符合法規。Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. 有关支持标准符合性的 Azure 程序的详细信息,请参阅 Azure 信任中心,可以从中找到 SQL 数据库符合性认证的最新列表。For more information about Azure programs that support standards compliance, see the Azure Trust Center where you can find the most current list of SQL Database compliance certifications.


本主題適用於 Azure SQL 伺服器,以及在 Azure SQL Server 上建立的 SQL Database 和 SQL 資料倉儲資料庫。This topic applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 為了簡單起見,參考 SQL Database 和 SQL 資料倉儲時都會使用 SQL Database。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.


本文最近有所更新,改為使用「Azure 監視器記錄」一詞,而非 Log Analytics。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 記錄資料仍儲存在 Log Analytics 工作區中,並仍由相同的 Log Analytics 服務收集和分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我們會持續更新術語,以更精確地反映 Azure 監視器記錄的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 如需詳細資料,請參閱 Azure 監視器遙測變更See Azure Monitor terminology changes for details.

Azure SQL 資料庫稽核概觀Azure SQL database auditing overview

您可以使用 SQL 資料庫稽核完成下列工作:You can use SQL database auditing to:

  • 保留 所選事件的稽核記錄。Retain an audit trail of selected events. 您可以定義要稽核的資料庫動作類別。You can define categories of database actions to be audited.
  • 報告 資料庫活動。Report on database activity. 您可以使用預先設定的報告和儀表板,快速地開始使用活動和事件報告。You can use pre-configured reports and a dashboard to get started quickly with activity and event reporting.
  • 分析 報告。Analyze reports. 您可以尋找可疑事件、異常活動及趨勢。You can find suspicious events, unusual activity, and trends.


系統會將稽核記錄寫入至 Azure 訂用帳戶上 Azure Blob 儲存體中的附加 BlobAudit logs are written to Append Blobs in Azure Blob storage on your Azure subscription.

  • 支援所有的儲存體類型 (v1、v2、Blob)。All storage kinds (v1, v2, blob) are supported.
  • 支援所有儲存體複寫設定。All storage replication configurations are supported.
  • 不支援 進階儲存體Premium storage is currently not supported.
  • 目前不支援 VNet 中的儲存體Storage in VNet is currently not supported.
  • 目前不支援 在防火牆後面的儲存體Storage behind a Firewall is currently not supported

定義伺服器層級與資料庫層級的稽核原則Define server-level vs. database-level auditing policy

您可以針對特定資料庫定義稽核原則,或將稽核原則定義為預設伺服器原則:An auditing policy can be defined for a specific database or as a default server policy:

  • 伺服器原則會套用至伺服器上所有現有和新建立的資料庫。A server policy applies to all existing and newly created databases on the server.

  • 如果「伺服器 Blob 稽核已啟用」 ,它「一律」會套用到資料庫 。If server blob auditing is enabled, it always applies to the database. 不論資料庫稽核資料是什麼,都會稽核資料庫。The database will be audited, regardless of the database auditing settings.

  • 如果除了伺服器以外,也在資料庫或資料倉儲上啟用 Blob 稽核,這「不會」 覆寫或變更伺服器 Blob 稽核的任何設定。Enabling blob auditing on the database or data warehouse, in addition to enabling it on the server, does not override or change any of the settings of the server blob auditing. 這兩種稽核將會並存。Both audits will exist side by side. 換句話說,系統將會對資料庫進行兩次相同的稽核;一次是由伺服器原則,一次是由資料庫原則。In other words, the database is audited twice in parallel; once by the server policy and once by the database policy.


    您應該避免同時啟用伺服器 Blob 稽核與資料庫 Blob 稽核,除非:You should avoid enabling both server blob auditing and database blob auditing together, unless:

    • 您需要為特定資料庫使用不同的儲存體帳戶 或保留期間 。You want to use a different storage account or retention period for a specific database.
    • 您想要針對伺服器上不同於其餘資料庫的特定資料庫,稽核其事件類型或類別。You want to audit event types or categories for a specific database that differ from the rest of the databases on the server. 例如,您可能只需要針對特定資料庫稽核資料表插入。For example, you might have table inserts that need to be audited only for a specific database.

    否則,建議只啟用伺服器層級 Blob 稽核,並讓所有資料庫的資料庫層級稽核保留在停用狀態。Otherwise, we recommended that you enable only server-level blob auditing and leave the database-level auditing disabled for all databases.

設定資料庫的稽核Set up auditing for your database

下節描述使用 Azure 入口網站進行稽核的設定。The following section describes the configuration of auditing using the Azure portal.

  1. 移至 Azure 入口網站Go to the Azure portal.

  2. 瀏覽至 SQL 資料庫/伺服器窗格中 [安全性] 標題下的 [稽核] 。Navigate to Auditing under the Security heading in your SQL database/server pane.

    導覽窗格Navigation pane

  3. 如果您想要設定伺服器稽核原則,可以選取資料庫稽核頁面上的 [檢視伺服器設定] 連結。If you prefer to set up a server auditing policy, you can select the View server settings link on the database auditing page. 然後,您可以檢視或修改伺服器稽核設定。You can then view or modify the server auditing settings. 伺服器稽核原則會套用至此伺服器上所有現有和新建立的資料庫。Server auditing policies apply to all existing and newly created databases on this server.


  4. 如果您偏向在資料庫層級啟用稽核,請將 [稽核] 切換到 [開啟] 。If you prefer to enable auditing on the database level, switch Auditing to ON.

    如果已啟用伺服器稽核,資料庫設定的稽核將會與伺服器稽核並存。If server auditing is enabled, the database-configured audit will exist side-by-side with the server audit.


  5. 新增 - 您現在有多個選項可設定要寫入稽核記錄的位置。New - You now have multiple options for configuring where audit logs will be written. Azure 儲存體帳戶、 Log Analytics 工作區,供 Azure 監視器記錄檔,或使用事件中樞取用的事件中樞,您可以寫入記錄。You can write logs to an Azure storage account, to a Log Analytics workspace for consumption by Azure Monitor logs, or to event hub for consumption using event hub. 您可以設定這些選項的任何組合,並將稽核記錄寫入至每個組合。You can configure any combination of these options, and audit logs will be written to each.


    啟用稽核至 Log Analytics 會產生根據擷取速率的成本。Enabling auditing to Log Analytics will incur cost based on ingestion rates. 請特別注意相關聯的成本,使用這選項,或考慮在 Azure 儲存體帳戶中儲存稽核記錄。Please be aware of the associated cost with using this option, or consider storing the audit logs in an Azure storage account.


  6. 若要設定將稽核記錄寫入至儲存體帳戶,請選取 [儲存體] ,然後開啟 [儲存體詳細資料] 。To configure writing audit logs to a storage account, select Storage and open Storage details. 選取將儲存記錄的 Azure 儲存體帳戶,然後選取保留期間。Select the Azure storage account where logs will be saved, and then select the retention period. 舊的記錄將被刪除。The old logs will be deleted. 然後按一下 [確定] 。Then click OK.

    storage account

  7. 若要設定將稽核記錄寫入至 Log Analytics 工作區,請選取 [Log Analytics (預覽)] ,然後開啟 [Log Analytics 詳細資料] 。To configure writing audit logs to a Log Analytics workspace, select Log Analytics (Preview) and open Log Analytics details. 選取或建立將寫入記錄的 Log Analytics 工作區,然後按一下 [確定] 。Select or create the Log Analytics workspace where logs will be written and then click OK.

    Log Analytics 工作區

  8. 若要設定將稽核記錄寫入至事件中樞,請選取 [事件中樞 (預覽)] ,然後開啟 [事件中樞詳細資料] 。To configure writing audit logs to an event hub, select Event Hub (Preview) and open Event Hub details. 選取要寫入記錄的事件中樞,然後按一下 [確定] 。Select the event hub where logs will be written and then click OK. 請確定事件中樞與您的資料庫和伺服器位於相同的區域。Be sure that the event hub is in the same region as your database and server.


  9. 按一下 [檔案] 。Click Save.

  10. 如果您想要自訂稽核的事件,您可以透過 PowerShell CmdletREST API 來自訂。If you want to customize the audited events, you can do this via PowerShell cmdlets or the REST API.

  11. 設定您的稽核設定之後,您可以開啟新的威脅偵測功能,並設定電子郵件以接收安全性警示。After you've configured your auditing settings, you can turn on the new threat detection feature and configure emails to receive security alerts. 使用威脅偵測時,您會接收與指示潛在安全性威脅的異常資料庫活動相關的主動式警示。When you use threat detection, you receive proactive alerts on anomalous database activities that can indicate potential security threats. 如需詳細資訊,請參閱開始使用威脅偵測For more information, see Getting started with threat detection.


啟用稽核暫停 Azure SQL 資料倉儲上不可能。Enabling auditing on an paused Azure SQL Data Warehouse is not possible. 若要啟用它,請取消暫停資料倉儲。To enable it, un-pause the Data Warehouse.


可在其上的 「 Azure SQL 資料倉儲的伺服器上啟用稽核將會導致資料倉儲正在繼續執行,而再度重新暫停這可能會產生計費費用。Enabling auditing on a server that has an Azure SQL Data Warehouse on it will result in the Data Warehouse being resumed and re-paused again which may incur in billing charges.

分析稽核記錄和報告Analyze audit logs and reports

如果您選擇的稽核記錄寫入 Azure 監視器的記錄:If you chose to write audit logs to Azure Monitor logs:

  • 使用 Azure 入口網站Use the Azure portal. 開啟相關的資料庫。Open the relevant database. 在資料庫的 [稽核] 頁面頂端,按一下 [檢視稽核記錄] 。At the top of the database's Auditing page, click View audit logs.


  • 然後,在 [稽核記錄] 頁面頂端,按一下 [在 OMS 中開啟] 以在 Log Analytics 中開啟記錄檢視,您可以在其中自訂時間範圍和搜尋查詢。Then, clicking on Open in OMS at the top of the Audit records page will open the Logs view in Log Analytics, where you can customize the time range and the search query.

    在 Log Analytics 中開啟

  • 或者,您也可以從 Log Analytics 刀鋒視窗存取稽核記錄。Alternatively, you can also access the audit logs from Log Analytics blade. 開啟 Log Analytics 工作區,然後在 [一般] 區段下,按一下 [記錄] 。Open your Log Analytics workspace and under General section, click Logs. 您可以從簡單的查詢開始,例如:「搜尋 "SQLSecurityAuditEvents"」 以檢視稽核記錄。You can start with a simple query, such as: search "SQLSecurityAuditEvents" to view the audit logs. 從這裡開始,您也可以使用Azure 監視器記錄執行進階的搜尋稽核記錄檔資料。From here, you can also use Azure Monitor logs to run advanced searches on your audit log data. Azure 監視器記錄檔可讓您輕易地分析數百萬筆記錄,跨所有工作負載和伺服器使用整合式的搜尋和自訂儀表板的即時操作深入資訊。Azure Monitor logs gives you real-time operational insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers. 如需 Azure 監視器的記錄搜尋語言和命令的其他有用資訊,請參閱Azure 監視器記錄檔搜尋參考For additional useful information about Azure Monitor logs search language and commands, see Azure Monitor logs search reference.

如果您選擇將稽核記錄寫入至事件中樞:If you chose to write audit logs to Event Hub:

  • 若要取用來自事件中樞的稽核記錄資料,您必須設定資料流取用事件並將其寫入至目標。To consume audit logs data from Event Hub, you will need to set up a stream to consume events and write them to a target. 如需詳細資訊,請參閱 Azure 事件中樞文件For more information, see Azure Event Hubs Documentation.
  • 系統會在 Apache Avro (英文) 事件的主體中擷取事件中樞的稽核記錄,並使用以 UTF-8 編碼方式格式化的 JSON 來儲存。Audit logs in Event Hub are captured in the body of Apache Avro events and stored using JSON formatting with UTF-8 encoding. 若要讀取稽核記錄,您可以使用 Avro Tools 或類似工具來處理這種格式。To read the audit logs, you can use Avro Tools or similar tools that process this format.

如果您選擇將稽核記錄寫入至 Azure 儲存體帳戶,您可使用數種方法來檢視記錄:If you chose to write audit logs to an Azure storage account, there are several methods you can use to view the logs:

  • 稽核記錄會在您於設定期間選擇的帳戶中彙總。Audit logs are aggregated in the account you chose during setup. 您可以使用工具 (例如 Azure 儲存體總管) 來查看稽核記錄。You can explore audit logs by using a tool such as Azure Storage Explorer. 在 Azure 儲存體中,稽核記錄是以 Blob 檔案集合的方式儲存在名為 sqldbauditlogs 的容器內。In Azure storage, auditing logs are saved as a collection of blob files within a container named sqldbauditlogs. 如需有關儲存體資料夾階層、命名慣例、記錄格式的進一步詳細資訊,請參閱 Blob 稽核記錄格式參考For further details about the hierarchy of the storage folder, naming conventions, and log format, see the Blob Audit Log Format Reference.

  • 使用 Azure 入口網站Use the Azure portal. 開啟相關的資料庫。Open the relevant database. 在資料庫的 [稽核] 頁面頂端,按一下 [檢視稽核記錄] 。At the top of the database's Auditing page, click View audit logs.


    隨即開啟 [稽核記錄] ,您可以在其中檢視記錄。Audit records opens, from which you'll be able to view the logs.

    • 您可以按一下 [稽核記錄] 頁面頂端的 [篩選] 來檢視特定日期。You can view specific dates by clicking Filter at the top of the Audit records page.

    • 切換 [稽核來源] ,即可在由「伺服器稽核原則」 和「資料庫稽核原則」 建立的稽核記錄之間切換。You can switch between audit records that were created by the server audit policy and the database audit policy by toggling Audit Source.

    • 如果勾選 [只顯示 SQL 插入的稽核記錄] 核取方塊,只可以檢視 SQL 插入相關的稽核記錄。You can view only SQL injection related audit records by checking Show only audit records for SQL injections checkbox.


  • 使用系統函數 sys.fn_get_audit_file (T-SQL) 以表格格式傳回稽核記錄資料。Use the system function sys.fn_get_audit_file (T-SQL) to return the audit log data in tabular format. 如需使用此函式的詳細資訊,請參閱 sys.fn_get_audit_fileFor more information on using this function, see sys.fn_get_audit_file.

  • 使用 SQL Server Management Studio (SSMS 17 或更新版本) 中的 [合併稽核檔案] :Use Merge Audit Files in SQL Server Management Studio (starting with SSMS 17):

    1. 從 SSMS 功能表選取 [檔案] > [開啟] > [合併稽核檔案] 。From the SSMS menu, select File > Open > Merge Audit Files.


    2. 隨即開啟 [新增稽核檔案] 對話方塊。The Add Audit Files dialog box opens. 選取其中一個 [新增] 選項以選擇是否要從本機磁碟合併稽核檔案,或從 Azure 儲存體匯入稽核檔案。Select one of the Add options to choose whether to merge audit files from a local disk or import them from Azure Storage. 您將需要提供您的 Azure 儲存體詳細資料和帳戶金鑰。You are required to provide your Azure Storage details and account key.

    3. 已新增要合併的所有檔案之後,請按一下 [確定] 以完成合併作業。After all files to merge have been added, click OK to complete the merge operation.

    4. 合併的檔案會在 SSMS 中開啟,您可以在其中檢視和分析該檔案,以及將其匯出至 XEL 或 CSV 檔案,或是匯出至資料表。The merged file opens in SSMS, where you can view and analyze it, as well as export it to an XEL or CSV file, or to a table.

  • 使用 Power BI。Use Power BI. 您可以在 Power BI 中檢視和分析稽核記錄資料。You can view and analyze audit log data in Power BI. 如需詳細資訊,以及若要存取可下載的範本,請參閱 Analyzie audit log data in Power BI (在 Power BI 中分析稽核記錄資料)。For more information and to access a downloadable template, see Analyze audit log data in Power BI.

  • 透過入口網站或使用工具 (例如 Azure 儲存體總管) 從 Azure 儲存體 Blob 容器下載記錄檔。Download log files from your Azure Storage blob container via the portal or by using a tool such as Azure Storage Explorer.

    • 在您將記錄下載到本機之後,按兩下檔案,以在 SSMS 中開啟、檢視及分析記錄。After you have downloaded a log file locally, double-click the file to open, view, and analyze the logs in SSMS.
    • 您也可以透過 Azure 儲存體總管同時下載多個檔案。You can also download multiple files simultaneously via Azure Storage Explorer. 若要執行這項作業,請以滑鼠右鍵按一下特定子資料夾,然後選取 [另存新檔] 儲存在本機資料夾。To do so, right-click a specific subfolder and select Save as to save in a local folder.
  • 其他方法:Additional methods:

    • 下載多個檔案或包含記錄檔的子資料夾後,可以在本機合併這些檔案,如先前所述的 SSMS 合併稽核檔案指示中所述。After downloading several files or a subfolder that contains log files, you can merge them locally as described in the SSMS Merge Audit Files instructions described previously.

    • 以程式設計方式檢視 Blob 稽核記錄:View blob auditing logs programmatically:

實際作法Production practices

稽核異地複寫資料庫Auditing geo-replicated databases

使用異地複寫資料庫,當您在主要資料庫啟用稽核,次要資料庫會有相同的稽核原則。With geo-replicated databases, when you enable auditing on the primary database the secondary database will have an identical auditing policy. 也可以在次要伺服器上啟用稽核,設定次要資料庫稽核,和主要資料庫分開。It is also possible to set up auditing on the secondary database by enabling auditing on the secondary server, independently from the primary database.

  • 伺服器層級 (建議):啟動主要伺服器次要伺服器上的稽核 - 將根據其個別的伺服器層級原則對主要和次要資料庫分開進行稽核。Server-level (recommended): Turn on auditing on both the primary server as well as the secondary server - the primary and secondary databases will each be audited independently based on their respective server-level policy.
  • 資料庫層級:只能從主要資料庫稽核設定來設定次要資料庫的資料庫層級稽核。Database-level: Database-level auditing for secondary databases can only be configured from Primary database auditing settings.
    • 必須在「主要資料庫本身」 (而不是在伺服器上) 啟用稽核。Auditing must be enabled on the primary database itself, not the server.

    • 在主要資料庫上啟用稽核之後,它也會在次要資料庫上變成啟用狀態。After auditing is enabled on the primary database, it will also become enabled on the secondary database.


      使用資料庫層級稽核時,次要資料庫的儲存體設定將會和主要資料庫上的設定完全相同,這會導致跨地區流量。With database-level auditing, the storage settings for the secondary database will be identical to those of the primary database, causing cross-regional traffic. 建議您只啟用伺服器層級稽核,並讓所有資料庫的資料庫層級稽核保留在停用狀態。We recommend that you enable only server-level auditing, and leave the database-level auditing disabled for all databases.


      使用事件中樞或 Azure 監視器記錄檔為目標的伺服器層級的稽核記錄是目前不支援異地複寫的次要資料庫。Using event hub or Azure Monitor logs as targets for audit logs at the server level is currently not supported for secondary geo-replicated databases.

儲存體金鑰重新產生Storage key regeneration

在生產中,您可能會定期重新整理儲存體金鑰。In production, you are likely to refresh your storage keys periodically. 當您將稽核記錄寫入至 Azure 儲存體時,您需要在重新整理金鑰期間重新儲存稽核原則。When writing audit logs to Azure storage, you need to resave your auditing policy when refreshing your keys. 程序如下:The process is as follows:

  1. 開啟 [儲存體詳細資料] 。Open Storage Details. 在 [儲存體存取金鑰] 方塊中,選取 [次要] ,然後按一下 [確定] 。In the Storage Access Key box, select Secondary, and click OK. 然後按一下稽核設定頁面頂端的 [儲存] 。Then click Save at the top of the auditing configuration page.


  2. 移至儲存體設定頁面,並重新產生主要存取金鑰。Go to the storage configuration page and regenerate the primary access key.


  3. 返回稽核設定頁面,將儲存體存取金鑰從次要切換成主要,然後按一下 [確定] 。Go back to the auditing configuration page, switch the storage access key from secondary to primary, and then click OK. 然後按一下稽核設定頁面頂端的 [儲存] 。Then click Save at the top of the auditing configuration page.

  4. 返回儲存體設定頁面,並重新產生次要存取金鑰 (為下一個金鑰重新整理週期做準備)。Go back to the storage configuration page and regenerate the secondary access key (in preparation for the next key's refresh cycle).

其他資訊Additional Information

  • 如需有關記錄格式、儲存體資料夾階層和命名慣例的詳細資訊,請參閱 Blob 稽核記錄格式參考For details about the log format, hierarchy of the storage folder and naming conventions, see the Blob Audit Log Format Reference.


    Azure SQL Database 稽核會在稽核記錄中的字元欄位儲存 4000 個字元的資料。Azure SQL Database Audit stores 4000 characters of data for character fields in an audit record. 陳述式或從可稽核的動作傳回的 data_sensitivity_information 值包含超過 4000 個字元,超過前 4000 個字元的任何資料將會截斷且不會稽核When the statement or the data_sensitivity_information values returned from an auditable action contain more than 4000 characters, any data beyond the first 4000 characters will be truncated and not audited.

  • 系統會將稽核記錄寫入 Azure 訂用帳戶中 Azure Blob 儲存體的附加 BlobAudit logs are written to Append Blobs in an Azure Blob storage on your Azure subscription:

    • 附加 Blob 目前不支援 進階儲存體Premium Storage is currently not supported by Append Blobs.
    • 目前不支援 VNet 中的儲存體Storage in VNet is currently not supported.
  • 預設稽核原則包含所有動作和下列一組動作群組,這會稽核對資料庫執行的所有查詢和預存程序,以及成功和失敗的登入:The default auditing policy includes all actions and the following set of action groups, which will audit all the queries and stored procedures executed against the database, as well as successful and failed logins:


    您可以使用 PowerShell 設定不同動作和動作群組類型的稽核,如使用 Azure PowerShell 管理 SQL 資料庫稽核一節中所述。You can configure auditing for different types of actions and action groups using PowerShell, as described in the Manage SQL database auditing using Azure PowerShell section.

  • 使用 AAD 驗證時,失敗的登入記錄「不會」 顯示在 SQL 稽核記錄中。When using AAD Authentication, failed logins records will not appear in the SQL audit log. 若要檢視失敗的登入稽核記錄,您需要瀏覽 Azure Active Directory 入口網站,其中會記錄這些事件的詳細資料。To view failed login audit records, you need to visit the Azure Active Directory portal, which logs details of these events.

使用 Azure PowerShell 管理 SQL 資料庫稽核Manage SQL database auditing using Azure PowerShell

PowerShell Cmdlet (包含其他篩選的 WHERE 子句支援)PowerShell cmdlets (including WHERE clause support for additional filtering):

如需指令碼範例,請參閱使用 PowerShell 設定稽核與威脅偵測For a script example, see Configure auditing and threat detection using PowerShell.

使用 REST API 管理 SQL 資料庫稽核Manage SQL database auditing using REST API


具有 WHERE 子句而可支援其他篩選的擴充原則:Extended policy with WHERE clause support for additional filtering:

使用 ARM 範本管理 SQL 資料庫稽核Manage SQL database auditing using ARM templates

您可以使用 Azure Resource Manager 範本來管 Azure SQL 資料庫,如下列範例所示:You can manage Azure SQL database auditing using Azure Resource Manager templates, as shown in these examples:


連結的範例位於外部公用儲存機制,而提供 ' 為 ',不提供擔保,並不受任何 Microsoft 支援的程式/服務。The linked samples are on an external public repository and are provided 'as is', without warranty, and are not supported under any Microsoft support program/service.