When we are using SQL Server in our organization then most of the time we required Auditing. Microsoft provide Auditing feature from SQL Server 2008 onwards but this is an Enterprise feature. There are two types of Auditing which you can implement, first is Server level audit second is database level auditing. Before SQL Server 2008, if you want to use Auditing then we implemented this by using various things like SQL Trace, DDL Triggers, login auditing. There are so many drawbacks of using all these things in comparison of SQL Server Audit feature: like performance, less granularity etc. By using SQL Server Auditing feature you can achieve more security, good performance and easy management. Here i will show you how can you implement Server Level Auditing using Management Studio (Here I am using SQL Server 2012).
Open SSMS and connect SQL Server Instance, then go for audit under security inside object explorer. Now right click on Audit option then click on New Audit..
This will open up a new window, where you can fill up:
1- Name of audit
2- Mode of auditing, synchronous (QUEUE_Delay=0) or asynchronous (QUEUE_DELAY=1000)
3- Action to be taken if logging failed (Continue, Shut down Server, Fail Operation)
4- Audit destination (File, Application Log, and Security Log)
Note: here if you will use file option, then you can configure more options to manage those files like file path, maximum files, maximum file size etc.
Here I am choosing application log.
Now we will create server audit specification as shown below:
This will open up a new window where you can fill up:
1- Name of server audit specification
2- Name of server audit (which we created earlier)
3- Action which you wants to audit as shown below
Here for testing purpose i am taking Failed_Login_Group, and then click OK.
Now enable both server audit and server audit specification, by right click then click on enable option for both.
Here Setup has been completed. Now you can again connect the same instance from SSMS but with a wrong username and password. This will fire a failed login. As per our Audit this failed login entry will go in Application Log. You can check this entry by opening your server Application Log.