介绍 (Introduction)

With the advent of the Information Era, data is being collected on a massive scale. Information Technology systems have made access to this data faster and easier. It has also made it easier for data to be misused.

随着信息时代的到来，正在大规模地收集数据。 信息技术系统使访问这些数据变得更快，更容易。 这也使滥用数据变得更加容易。

We have all heard of instances where hospital employees have taken a sneak peak at a celebrity’s medical record. In many cases these hospital employees have legitimate reasons to access patient information, which means their access cannot be revoked or in some cases, even restricted, without hindering their ability to perform their duties efficiently.

我们都听说过医院工作人员在名人病历上潜行的情况。 在许多情况下，这些医院员工有合理的理由访问患者信息，这意味着他们的访问权限不会被撤销，甚至在某些情况下甚至受到限制，而不会影响其有效执行职责的能力。

This is just one of a plethora reasons why governments are implementing standardized auditing requirements such as HIPAA, SOX, PCI, GLBA, FERPA and Basel.

这只是政府实施标准化审计要求（例如HIPAA，SOX，PCI，GLBA，FERPA和巴塞尔）的众多原因之一。

If we cannot prevent people from accessing data, we need to keep track of how it is being used. This will then enable us to investigate any suspicious activities to determine if a breach has occurred and the nature of the breach, which will allow us to take appropriate action.

如果我们不能阻止人们访问数据，则需要跟踪数据的使用方式。 然后，这将使我们能够调查任何可疑的活动，以确定是否发生了违规以及违规的性质，这将使我们能够采取适当的措施。

To this end, Microsoft have added the Auditing feature to SQL Server 2008 onwards.

为此，Microsoft已从SQL Server 2008开始添加了审核功能。

在2008年之前SQL Server中进行审核 (Auditing in SQL Server prior to 2008)

Before SQL Server 2008, auditing had to be done by using a combination of features such as:

在SQL Server 2008之前，必须使用以下功能组合来进行审核：

• Login Auditing and C2 auditing登录审核和C2审核
• Triggers and event notifications触发器和事件通知
• SQL Trace could be used in conjunction with SQL ProfilerSQL跟踪可以与SQL事件探查器结合使用

Utilizing the above mentioned features for auditing purposes can be quite cumbersome as it involves a significant amount of setup. The data accumulated by these methods are logged in different ways to a variety of locations which made it hard to assimilate. Potential performance impact can also be associated with some of these actions which makes it less than desirable.

将上述功能用于审核目的可能非常麻烦，因为它涉及大量的设置。 这些方法积累的数据以不同的方式记录到了多个位置，这使得这些数据很难被吸收。 潜在的性能影响也可能与其中某些操作相关，这使其不那么理想。

从SQL Server 2008开始进行审核 (Auditing in SQL Server 2008 onwards)

SQL Server auditing is a new feature which makes use of extended events to allow you to audit everything that happens in your server, from server setting changes all the way down to who modified a value in a specific table in the database. This information is then written the Windows security log, the Windows application log or to a flat file.

SQL Server审核是一项新功能，它利用扩展事件来审核服务器中发生的所有事件，从服务器设置更改一直到谁修改了数据库中特定表中的值。 然后将此信息写入Windows安全日志，Windows应用程序日志或平面文件中。

In SQL Server 2008, Auditing was an enterprise only feature. In SQL server 2012, server auditing has now been made available to all editions, however database auditing remains for use by enterprise customers only.

在SQL Server 2008中，审核是仅企业功能。 在SQL Server 2012中，现在所有版本都可以使用服务器审核，但是数据库审核仍仅供企业客户使用。

扩展活动 (Extended Events)

Extended events are a highly configurable architecture used to handle events occurring in SQL Server. Extended events are built into the SQL Server code and as such it has a minimal impact on performance.

扩展事件是一种高度可配置的体系结构，用于处理SQL Server中发生的事件。 扩展事件内置在SQL Server代码中，因此对性能的影响最小。

Extended events makes use of packages to group objects together. One of these packages is the SecAudit package which is used by SQL Audit. The events in this package are private and used internally by the SQL Audit feature. This package is unfortunately not accessible so none of its objects are available externally.

扩展事件利用包将对象分组在一起。 这些软件包之一是SQL Audit使用的SecAudit软件包。 此程序包中的事件是私有的，由SQL审核功能在内部使用。 不幸的是，该软件包不可访问，因此它的任何对象都不能在外部使用。

审核组件 (Auditing Components)

The SQL Server auditing feature encompasses three main components:

SQL Server审核功能包含三个主要组件：

• The Server Audit服务器审核
• The Server Audit Specification服务器审核规范
• The Database Audit Specification数据库审核规范

服务器审核 (The Server Audit)

The Server Audit is the parent component of a SQL Server audit and can contain both Server Audit Specifications and\or Database Audit Specifications.

服务器审核是SQL Server审核的父组件，并且可以包含服务器审核规范和/或数据库审核规范。

The Server Audit resides in the master database, and is used to define where the audit information will be stored, file roll over policy, the queue delay and how SQL Server should react in case auditing is not possible.

服务器审核驻留在主数据库中，用于定义审核信息的存储位置，文件翻转策略，队列延迟以及在无法进行审核的情况下SQL Server应如何应对。

In the audit configuration the following is configured:

在审核配置中，配置了以下内容：

• The Server Audit name服务器审核名称
• The queue delay which is the maximum amount in milliseconds that the system may wait before processing any audit. Basically an audit can be processed synchronously or asynchronously. To process synchronously set the queue delay to 0. For asynchronous processing, the lowest possible value is 1000 milliseconds.队列延迟，这是系统在处理任何审核之前可以等待的最大毫秒数。 基本上，审核可以同步或异步进行。 要同步处理，请将队列延迟设置为0。对于异步处理，最小的可能值为1000毫秒。
• The options are:
  选项包括：
  • Continue and ignore the log issue继续并忽略日志问题

  • Shut down the server

    关闭服务器

    It may seem quite severe to shut down the server if it’s not able to write to the audit log. But it all comes down to how important it is for auditing to happen. Is it more important to have a complete audit trail or is it more important for the database to remain online. Shutting down the server is one of the requirements of common compliance.

    如果服务器无法写入审核日志，则关闭服务器似乎很严峻。 但这一切都取决于进行审核的重要性。 拥有完整的审核跟踪更重要还是使数据库保持联机更重要。 关闭服务器是常见合规性的要求之一。

    To be able to configure this option, the user who creates or modifies the Audit needs to have SERVER SHUTDOWN permissions.

    为了能够配置此选项，创建或修改审核的用户需要具有SERVER SHUTDOWN权限。

  • Fail the operation

    操作失败

    This is a good alternative to shutting down the server entirely. The server will remain online but if an action takes place which requires auditing, the action will fail if the target is not available, ensuring that no audit information is missing on transactions which need to be audited.

    这是完全关闭服务器的不错选择。 服务器将保持联机状态，但是如果发生需要审核的操作，则在目标不可用时该操作将失败，从而确保没有丢失需要审核的事务的审核信息。

  In SQL Server 2012 auditing has become more robust by now allowing SQL Audit to recover should the target become unavailable temporarily.

  在SQL Server 2012中，审核已变得更加强大，因为现在允许在目标暂时不可用时恢复SQL审核。

• The audit destination

  审核目的地

  The logging can be done to:

  可以执行以下日志记录：

  • File

    文件

    The recommended approach is to store audit logs to a network location off of the server

    推荐的方法是将审核日志存储到服务器之外的网络位置

    The file name used is automatically generated by SQL Server. This is done to ensure that the file names are always unique. The audit file name is made up of the following:

    使用的文件名由SQL Server自动生成。 这样做是为了确保文件名始终是唯一的。 审核文件名由以下内容组成：

    • The Audit name审核名称
    • The Audit GUID审核GUID
    • Partition Number分区号
    • Time Stamp时标
    • File Extension文件扩展名

  • Security log

    安全日志

    One of the requirements of most compliancy regulations are that the audited data itself needs to be secured. This can be achieved in a variety of ways, but typically access to the security log is more restricted than access to the application log, and as such offers a good way to keep the logged information secured

    大多数合规性法规的要求之一是，受审核的数据本身需要保护。 这可以通过多种方式实现，但是通常对安全日志的访问比对应用程序日志的访问受到更多限制，因此，这是一种确保记录的信息安全的好方法。

  • Application log

    应用日志

    Keep in mind that the default setting for the application log is to over-write events when it reaches the maximum size. This could result in audit information being los

    请记住，应用程序日志的默认设置是在达到最大大小时覆盖事件。 这可能会导致审核信息丢失

• The file path to specify the path if the previous option selected to log to a file如果选择上一个选项登录到文件，则指定路径的文件路径
• The limit of the size and the number of audit files审核文件的大小和数量限制

• The maximum number of audit files to be used without rollover

  不进行过渡使用的最大审核文件数

  In SQL Server 2008 it was only possible to set the number of files to have in addition to the current file before starting to rollover. An additional option has been added to SQL Server 2012 to allow DBAs to specify the number of audit files without running the risk of auditing data being over-written when the roll over starts.

  在SQL Server 2008中，仅可以在开始过渡之前设置当前文件以外的文件数量。 SQL Server 2012中已添加一个附加选项，以允许DBA指定审核文件的数量，而不会产生开始翻转时审核数据被覆盖的风险。

• Whether or not to reserve disk space specifically for the audit logs

  是否为审核日志专门保留磁盘空间

A Server Audit is automatically assigned a uniquely identifying GUID. This GUID can be explicitly assigned. This GUID is static and cannot be changed after the audit has been created.

服务器审核会自动分配一个唯一标识的GUID。 可以显式分配此GUID。 此GUID是静态的，在创建审核后不能更改。

In SQL Server 2012, the audit now also allows for a filter to be specified. This is basically a WHERE clause for the audit which is evaluated before an audit event is written to the target audit destination. This is applied to all audit specifications linked to an audit. Any of the fields returned by the sys.fn_get_audit_file function except for file_name and audit_file_offset may be used as a filter expression.

在SQL Server 2012中，审核现在还允许指定过滤器。 这基本上是用于审核的WHERE子句，在将审核事件写入目标审核目标之前对其进行评估。 这适用于链接到审核的所有审核规范。 任何字段返回由sys.fn_get_audit_file函数除了对于f ILË_ 呐 M E 和 U 迪 t_f 金正日 é_ØFF 集 可以用作过滤器表达式。

An audit can be created either by using SQL Server Management Studio, by using transact SQL or SQL Server Management Objects (SMO).

可以使用SQL Server Management Studio，事务SQL或SQL Server管理对象（SMO）创建审核。

In SQL Server Management Studio an audit can be created under Audit node which resides under the Security node in the Object Explorer.

在SQL Server Management Studio中，可以在“审计”节点下创建审计，该审计节点位于“对象资源管理器”中的“安全性”节点下。

An Audit can also be created by using the CREATE SERVER AUDIT Transact SQL command.

也可以使用CREATE SERVER AUDIT Transact SQL命令创建审核。

NB: All audits and audit specifications are created in a disabled state. Enabling an audit does not automatically enable all audit specifications linked to it. Each audit specification needs to be enabled individually. An audit or audit specification cannot be modified when it is enabled, it first needs to be disabled, then modified and re-enabled.

N B ： 所有审核和审核规范均在禁用状态下创建。 启用审核不会自动启用与其链接的所有审核规范。 每个审核规范都需要单独启用。 启用审核或审核规范后，不能对其进行修改，首先需要先禁用它，然后再修改并重新启用它。

Both the audit and the audit specification need to be enabled for an event to be logged.

审核和审核规范都需要启用才能记录事件。

Permissions required:
To CREATE, ALTER or DROP an audit a user requires the ALTER ANY SERVER AUDIT permission. This is also included in the CONTROL SERVER permission.

所需权限：
要创建，更改或删除审核，用户需要具有“更改任何服务器的审核”权限。 这也包含在“控制服务器”权限中。

In order to write to a file location the SQL Server service account will need to have write permissions on the network share. In order to read the file all users which belong to the Audit Reader role and Audit Administrators role need to have read permissions to that share as well.

为了写入文件位置，SQL Server服务帐户将需要对网络共享具有写权限。 为了读取文件，属于Audit Reader角色和Audit Administrators角色的所有用户也必须具有对该共享的读取权限。

Additional security is required when writing to the Windows Security Log, this is addressed later in this article.

写入Windows安全日志时需要额外的安全性，本文稍后将对此进行介绍。

审核规范 (Audit Specifications)

Audit specifications can have 3 categories of actions:

审核规范可以分为三类：

• Server level actions服务器级别的动作
• Database level actions or数据库级操作或
• Audit level actions which audits actions on the auditing process itself. Some audit actions are automatically audited such as changing the state of an audit to on or off审核级别操作，它对审核过程本身进行审核。 某些审核操作会自动进行审核，例如将审核状态更改为打开或关闭

Some actions can be audited individually, such as auditing a select event on a table. This is referred to as an Audit Actions.

可以单独审核某些操作，例如审核表上的选择事件。 这被称为审核措施。

In most cases audit actions are grouped together resulting in Audit Action Groups. This facilitates audit specification configuration since actions which form a logical unit are included in a single group saving you from having to specify each one individually.

在大多数情况下，审核操作会组合在一起，形成审核操作组。 这可以简化审核规范的配置，因为构成一个逻辑单元的操作包含在一个组中，从而使您不必分别指定每个操作。

The Server Audit Specification

服务器审核规范

The Server Audit Specification which is available in all editions of SQL Server, is used to define what needs to be audited at a server level.

在所有版本SQL Server中都可用的服务器审核规范用于定义需要在服务器级别进行审核的内容。

The Server Audit Specification is found under the security node in SQL Server. There can be only one Server Audit Specification per audit.

服务器审核规范位于SQL Server的安全性节点下。 每次审核只能有一个服务器审核规范。

To create a Server Audit Specification, three things need to be specified:

要创建服务器审核规范，需要指定三件事：

• The Name of the audit specification. This is optional, a default name will be assigned if you do not enter one审核规范的名称。 这是可选的，如果您不输入默认名称，则会分配默认名称
• The Server Audit which defines the target the selected events should be logged to定义所选事件目标的服务器审核应记录到

• The Audit Action Type. This is the events which should be audited

  审核操作类型。 这是应该审核的事件

  For the Server Specification all events are grouped into Audit Action Groups. The following are examples of Server Level Audit action groups:

  对于服务器规范，所有事件都分组为审核操作组。 以下是服务器级审核操作组的示例：

  SUCCESSFUL_LOGIN_GROUP

  SUCCESSFUL_LOGIN_GROUP

  FAILED_LOGIN_GROUP

  FAILED_LOGIN_GROUP

  DBCC_GROUP

  DBCC_GROUP

  The full list of Server Level Audit Action Groups can be found here: Audit Actions and Audit Action Groups

  可以在此处找到服务器级别审核操作组的完整列表： 审核操作和审核 操作组

  When a Server Audit Specification is created via SSMS it is disabled by default. When creating it with T-SQL there is an optional parameter to create it in an enabled state

  通过SSMS创建服务器审核规范时，默认情况下将其禁用。 使用T-SQL创建它时，有一个可选参数可以在启用状态下创建它

Permissions required:
In order to create a Server Audit Specification a user needs to have permission to connect to the database and have ALTER ANY SERVER AUDIT, the CONTROL SERVER permission allows the audit to be viewed by the user.

所需权限：
为了创建服务器审核规范，用户需要具有连接到数据库的权限并具有ALTER ANY SERVER AUDIT，而CONTROL SERVER权限则允许用户查看审核。

数据库审核规范 (The Database Audit Specification)

The Database Audit Specification audits events at a database level. Using more granular auditing can minimize the performance impact on your server. This is done by using a Database Audit Specification which is unfortunately only available in Enterprise edition. Using the Database Audit Specification, auditing can be done at object or user level.

数据库审核规范在数据库级别审核事件。 使用更精细的审核可以最大程度地降低对服务器性能的影响。 这是通过使用数据库审核规范完成的，不幸的是，该规范仅在企业版中可用。 使用数据库审计规范，可以在对象或用户级别进行审计。

Unfortunately it cannot be done at column level as of yet.

不幸的是，到目前为止，它还不能在列级别完成。

The Database Audit Speciation is created under the Security node of the relevant database.

在相关数据库的“安全性”节点下创建“数据库审核规范”。

It can also be created with Transact SQL and SMO

也可以使用Transact SQL和SMO创建它

The following needs to be configured to create a Database Audit Specification:

需要配置以下内容以创建数据库审核规范：

• The Database Audit Specification name. A default name will be assigned if none is provided数据库审核规范名称。 如果未提供默认名称，则将分配默认名称
• The Server Audit that the specification must be linked to服务器审核规范必须链接到

• The Audit Action Type. There are both Audit Actions and Audit Action Groups which may be selected in this field.

  审核操作类型。 在此字段中可以同时选择“审核操作”和“审核操作组”。

  INSERT and UPDATE is some of the Audit Actions which may be selected in this field.

  INSERT和UPDATE是可以在此字段中选择的一些审核操作。

  A complete list of Audit Actions and Audit Action Groups applicable to the Database Audit Specification can be found here: Audit Actions and Audit Action Groups

  可在此处找到适用于数据库审核规范的审核操作和审核操作组的完整列表： 审核操作和审核操作组

• • The Object Name of the object to be audited when an Audit Action has been selected选择“审核操作”时要审核的对象的对象名称
  • The Schema of the selected object所选对象的架构
  • pp uu blbl ii cc in this field 在这个领域里

  Even though SQL Server will allow you to specify an audit action on server scope objects , such as system views, the objects will not be audited but no error will be raised either.

  即使SQL Server允许您在服务器范围对象（例如系统视图）上指定审核操作，这些对象也不会被审核，但是也不会引发任何错误。

  If you want to audit server scope objects, you need to create a database audit specification in the master database.

  如果要审核服务器范围对象，则需要在master数据库中创建数据库审核规范。

  Permissions required:
  In order to create a database audit specification a user needs to have permission to connect to the database and have ALTER ANY DATABASE AUDIT SPECIFICATION or the ALTER or CONTROL permission for the database to which they would like to add the audit.

  所需权限：
  为了创建数据库审核规范，用户需要具有连接到数据库的权限，并且对要向其添加审核的数据库具有ALTER ANY DATABASE AUDIT SPECIFICATION或ALTER或CONTROL权限。

  用户定义的审核事件 (User defined audit events)

  One of the new 2012 features is the ability to create User Defined Audit Events. User defined audit events can be used to integrate third party applications to SQL Server Audit.

  2012年的新功能之一是能够创建用户定义的审核事件。 用户定义的审核事件可用于将第三方应用程序集成到SQL Server审核中。

  A user defined audit event is created by using the sp_audit_write procedure. This procedure accepts 3 parameters:

  使用sp_audit_write过程创建用户定义的审核事件。 此过程接受3个参数：

  • This an id specified by the user, which is written to the user_defined_event_id column of the audit log. The datatype is smallint
    用户指定的ID，该ID将写入审核日志的user_defined_event_id列。 数据类型为smallint
  • Indicates if the procedure succeeded in writing to the audit log. The datatype is bit
    指示该过程是否成功写入审核日志。 数据类型是位
  • This is an optional parameter which allows the user to specify additional information regarding the event. This information is logged to the user_defined_information column of the audit log. The datatype is nvarchar(4000)
    这是一个可选参数，允许用户指定有关事件的其他信息。 此信息记录到审核日志的user_defined_information列。 数据类型为nvarchar（4000）

  • In order for a user defined event to be audited, the USER_DEFINED_AUDIT_GROUP needs to be selected for audit in either the database or server audit specification.

    为了审核用户定义的事件，需要在数据库或服务器审核规范中选择USER_DEFINED_AUDIT_GROUP进行审核。

    If this has not been selected as an audit event, all events generated by the sp_audit_write procedure will be ignored.

    如果尚未将其选择为审核事件，则将忽略sp_audit_write过程生成的所有事件。

    读取审核文件数据 (Reading audit file data)

    When auditing information is written to a file target it is done in binary. The table-valued function fn_get_audit_file() need to be used to read it.

    将审核信息写入文件目标时，它以二进制形式完成。 需要使用表值函数fn_get_audit_file（）来读取它。

    This function accepts 3 parameters:

    此函数接受3个参数：

    • File pattern

      档案格式

      This is a nvarchar(260).The path or the path and filename of the file to read should be provided. To read all the files in a folder, specify the path to the folder using the asterisk (*) as wildcard. If an invalid file is specified the MSG_INVALID_AUDIT_FILE error message will be displayed

      这是nvarchar（260）。应提供路径或要读取的文件的路径和文件名。 要读取文件夹中的所有文件，请使用星号（*）作为通配符来指定文件夹的路径。 如果指定了无效文件，将显示MSG_INVALID_AUDIT_FILE错误消息

    • Initial file name
      This is the path and file name of the file in an audit set where the reading should start. The datatype is nvarchar(260)

      初始文件名
      这是应开始读取的审核集中文件的路径和文件名。 数据类型为nvarchar（260）

    • Audit record offset
      This can be used to specify the start location in the initial file. The datatype is bigint

      审核记录偏移
      这可用于指定初始文件中的开始位置。 数据类型为bigint

    Example:

    例：

 SELECT * FROM fn_get_audit_file('D:\Audits\*',default,default)

The file can contain any of the 26 available elements. A complete list of the available elements can be found here: SQL Server Audit Records

该文件可以包含26个可用元素中的任何一个。 可在此处找到可用元素的完整列表： SQL Server审核记录

Audit information written to the Windows Security Log or the Application Log can we read using event viewer. This information can also be read through the SQL Server Management studio by expanding the security node, then expanding the Audit node, right click on an Audit and select the option View Audit Logs

我们可以使用事件查看器读取写入Windows安全日志或应用程序日志中的审核信息。 也可以通过展开安全性节点，然后展开“审核”节点，右键单击“审核”并选择选项“ V i e w”，通过SQL Server Management Studio读取此信息。 所述的 U DIT 日志

保护审核日志 (Securing the audit logs)

The audit logs themselves need to be protected from unauthorized access and modification.

审计日志本身需要受到保护，以防止未经授权的访问和修改。

There are two ways to increase the security of the audit logs:

有两种方法可以提高审核日志的安全性：

1. Write the audit logs to a file server share on a different server to which the sysadmin does not even have permission. Only allow permission to the auditor将审核日志写入sysadmin甚至没有权限的另一台服务器上的文件服务器共享中。 仅允许审核员许可

2. • Add the SQL Server Service account to the Generate Security Audits policy in your Edit Group Policy Editor

     将SQL Server服务帐户添加到“编辑组策略编辑器”中的“生成安全审核”策略中

     

   • Change the Audit Object Access policy to include both Success and Failure

     更改审核对象访问策略以同时包含成功和失败

     

   Keep in mind that when writing to the Windows logs, the Windows audit policy could potentially cause audit data to be lost. The windows logs usually roll over and as such can start over-writing older events which could cause some SQL Audit data to be lost.

   请记住，在写入Windows日志时，Windows审核策略可能会导致审核数据丢失。 Windows日志通常会翻转，因此可以开始覆盖较旧的事件，这可能会导致某些SQL审核数据丢失。

   In Windows 8 the plugin is called gpedit.msc. In order to access it, you need to type gpedit.msc in the search box. Remember to include the .msc extension or you might not find it

   在Windows 8中，该插件称为gpedit.msc。 为了访问它，您需要在搜索框中键入gpedit.msc。 记住要包括.msc扩展名，否则可能找不到

   

   Unfortunately if you do only have the basic edition of Windows 8, you may not be able to access this application

   不幸的是，如果您只有Windows 8的基本版本，则可能无法访问此应用程序

强制关闭后重新启动SQL Server (Restarting a SQL Server after a forced shutdown)

If SQL Server was shut down by SQL audit, it will not start up normally. It needs to be restarted in single user mode using the –m trace flag. Alternatively, it can also be started in minimal configuration mode using the –f flag.

如果通过SQL审核关闭了SQL Server，它将无法正常启动。 需要使用–m跟踪标志以单用户模式重新启动它。 另外，也可以使用–f标志以最小配置模式启动它。

This will then allow the DBA to make modifications to the audit if it is required.

然后，如果需要，这将允许DBA对审核进行修改。

SQL Server will write the MSG_AUDIT_SHUTDOWN_BYPASSED message to the error log if auditing was bypassed in this way.

如果以这种方式绕过了审核，则SQL Server将MSG_AUDIT_SHUTDOWN_BYPASSED消息写入错误日志。

最佳实践 (Best Practices)

• Write audit logs to a centralized location将审核日志写入集中位置
• To facilitate processing of the audited data, load the logs into a database为了方便处理审核的数据，请将日志加载到数据库中
• Use a file as a target for optimal performance使用文件作为最佳性能的目标
• Use targeted auditing to minimize the collected data and better performance使用有针对性的审核以最大程度地减少收集的数据并提高性能
• When writing to the Windows logs, ensure that the roll-over policy of the Windows Logs, coincides with that of your audit strategy写入Windows日志时，请确保Windows日志的过渡策略与审核策略的策略一致

结论 (Conclusion)

SQL Server Auditing is a powerful feature, but should not be used without careful planning and consideration. In order to use Auditing successfully, you need to have a very clear idea of what you hope to achieve. Which actions need to be audited? Who needs access to this information? How will it be accessed? A large part of successful auditing depends on how the audit data is stored, processed and monitored.

SQL Server审核是一项强大的功能，但如果没有仔细计划和考虑，就不应使用它。 为了成功使用审核，您需要对要实现的目标有一个非常清晰的想法。 需要审核哪些操作？ 谁需要访问此信息？ 如何访问？ 成功审核的很大一部分取决于审核数据的存储，处理和监控方式。

In addition to planning, more work may be required to create reports which can be used for auditors to make sense of this information.

除了计划之外，可能还需要做更多的工作来创建报告，这些报告可用于审核员理解这些信息。

参考文献： (References:)

• SQL Server AuditSQL Server审核
• Auditing in SQL Server 2008在SQL Server 2008中进行审核
• SQL Server 2008 Compliance GuideSQL Server 2008合规性指南

看更多 (See more)

To audit SQL database and security activities, consider ApexSQL Audit, an enterprise level SQL Server auditing tool.

要审核SQL数据库和安全活动，请考虑ApexSQL Audit ，这是企业级SQL Server审核工具。

翻译自: https://www.sqlshack.com/understanding-sql-server-audit/