当前位置: 文江博客话题详情

如何为数据库中的所有表设置数据库审计规范

发布于 2024-09-26 23:52:24 字数 111 浏览 0 评论 0原文

我需要创建一个审计来跟踪数据库中所有表的所有 CRUD 事件, 现在我在数据库中有超过 100 个表,有没有办法创建包含数据库中所有表的规范?

PS:我使用的是SQL Server 2008

原文

I need to create an audit to track all CRUD events for all the tables in a database ,
now i have more than 100 tables in the DB , is there a way to create the specification which will include all the tables in the DB ?

P.S : I am using SQL Server 2008

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

舟遥客 2024-10-03 23:52:24

我也有同样的问题。答案实际上比预期的更简单,并且不需要自定义 C# 应用程序来生成大量 SQL 来覆盖所有表。下面的 SQL 示例。重要的一点是为 INSERT/UPDATE/DELETE 指定数据库和公共。

USE [master]
GO

CREATE SERVER AUDIT [CancerStatsAudit]
TO FILE 
(   FILEPATH = N'I:\CancerStats\Audit\'
    ,MAXSIZE = 128 MB
    ,MAX_ROLLOVER_FILES = 64
    ,RESERVE_DISK_SPACE = OFF
)
WITH
(   QUEUE_DELAY = 1000
    ,ON_FAILURE = CONTINUE
    ,AUDIT_GUID = '5a0a18cf-fe42-4171-ad01-5e19af9e27d1'
)
ALTER SERVER AUDIT [CancerStatsAudit] WITH (STATE = ON)
GO

USE [CancerStats]
GO

CREATE DATABASE AUDIT SPECIFICATION [CancerStatsDBAudit]
FOR SERVER AUDIT [CancerStatsAudit]
ADD (INSERT ON DATABASE::[CancerStats] BY [public]),
ADD (UPDATE ON DATABASE::[CancerStats] BY [public]),
ADD (DELETE ON DATABASE::[CancerStats] BY [public]),
ADD (EXECUTE ON DATABASE::[CancerStats] BY [public]),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_CHANGE_GROUP)
WITH (STATE = ON)
GO

注意:审核 INSERT、UPDATE 和 DELETE 不需要 DATABASE_OBJECT_CHANGE_GROUP 和 SCHEMA_OBJECT_CHANGE_GROUP - 请参阅下面的附加说明。

附加说明

上面的示例还包括 DATABASE_OBJECT_CHANGE_GROUP 和 SCHEMA_OBJECT_CHANGE_GROUP。包含这些内容是因为我的要求还包括跟踪数据库对象上的 CREATE/ALTER/DROP 操作。值得注意的是,这些文档是错误的。
https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions

上面的页面状态 DATABASE_OBJECT_CHANGE_GROUP 跟踪 CREATE、UPDATE并删除。这是不正确的(我在 SQL Server 2016 中测试过),仅跟踪 CREATE,请参阅:
https://connect.microsoft.com/SQLServer/feedback/details/370103/database-object-change-group-audit-group-does-not-audit-drop-proc

其实就是为了跟踪创建、更新、删除、使用 SCHEMA_OBJECT_CHANGE_GROUP。尽管上面的 learn.microsoft.com 文档页面表明这只适用于架构,但它实际上也适用于架构内的对象。

I had the same question. The answer is actually simpler than expected and doesn't need a custom C# app to generate lots of SQL to cover all the tables. Example SQL below. The important point was to specify database and public for INSERT/UPDATE/DELETE.

USE [master]
GO

CREATE SERVER AUDIT [CancerStatsAudit]
TO FILE 
(   FILEPATH = N'I:\CancerStats\Audit\'
    ,MAXSIZE = 128 MB
    ,MAX_ROLLOVER_FILES = 64
    ,RESERVE_DISK_SPACE = OFF
)
WITH
(   QUEUE_DELAY = 1000
    ,ON_FAILURE = CONTINUE
    ,AUDIT_GUID = '5a0a18cf-fe42-4171-ad01-5e19af9e27d1'
)
ALTER SERVER AUDIT [CancerStatsAudit] WITH (STATE = ON)
GO

USE [CancerStats]
GO

CREATE DATABASE AUDIT SPECIFICATION [CancerStatsDBAudit]
FOR SERVER AUDIT [CancerStatsAudit]
ADD (INSERT ON DATABASE::[CancerStats] BY [public]),
ADD (UPDATE ON DATABASE::[CancerStats] BY [public]),
ADD (DELETE ON DATABASE::[CancerStats] BY [public]),
ADD (EXECUTE ON DATABASE::[CancerStats] BY [public]),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_CHANGE_GROUP)
WITH (STATE = ON)
GO

NB: DATABASE_OBJECT_CHANGE_GROUP and SCHEMA_OBJECT_CHANGE_GROUP are not needed for auditing INSERT, UPDATE and DELETE - see additional notes below.

Additional notes:

The example above also includes the DATABASE_OBJECT_CHANGE_GROUP and the SCHEMA_OBJECT_CHANGE_GROUP. These were included since my requirement was to also track CREATE/ALTER/DROP actions on database objects. It is worth noting that the documentation is wrong for these.
https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions

The above page states DATABASE_OBJECT_CHANGE_GROUP tracks CREATE, UPDATE and DELETE. This is not true (I've tested in SQL Server 2016), only CREATE is tracked, see:
https://connect.microsoft.com/SQLServer/feedback/details/370103/database-object-change-group-audit-group-does-not-audit-drop-proc

In fact, to track CREATE, UPDATE, DELETE, use SCHEMA_OBJECT_CHANGE_GROUP. Despite the above learn.microsoft.com documentation page suggesting this only works for schemas, it actually works for objects within the schema as well.

回复 原文
眼泪都笑了 2024-10-03 23:52:24

更改数据捕获

您可以使用 SQL Server 2008 提供的更改数据捕获功能机制。

http://msdn.microsoft.com/en-us/library/bb522489.aspx

请注意,这只会执行创建、更新和删除操作。

触发器和审核表

即使对于 100 个表,您也可以使用单个脚本来生成审核表和必要的触发器。注意,这不是一个很好的机制——它会减慢控制权,除非触发器执行完成,否则控制不会返回。

Change Data Capture

You can use the Change Data Capture functionality mechanism provided by SQL Server 2008.

http://msdn.microsoft.com/en-us/library/bb522489.aspx

Note that this will only do Create, Update and Delete.

Triggers and Audit tables

Even for 100 tables, you can use a single script that will generate the audit tables and the necessary triggers. Note, that this is not a very good mechanism - it will slow down the control will not be returned unless the trigger execution is complete.

回复 原文
一个人练习一个人 2024-10-03 23:52:24

找到了创建数据库审计规范的方法,
编写了 c# 代码,为所有表和我需要的所有操作动态生成 sql 语句,并执行结果字符串。
坦率地说,如果您要为多个表创建数据库审计规范,那么提供的向导根本没有任何帮助。

Found a way to create Database Audit specification ,
wrote a c# code that dynamically generated sql statement for all the tables and all the actions I needed and executed the resultant string.
Frankly the wizard provided is no help at all if you are creating a Database Audit Specification for more than a couple of tables.

回复 原文
~没有更多了~

关于作者

烟酒忠诚

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

花开柳相依

文章 0 评论 0

zyhello

文章 0 评论 0

故友

文章 0 评论 0

对风讲故事

文章 0 评论 0

Oo萌小芽oO

文章 0 评论 0

梦明

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文