sys.fn_get_audit_file (Transact-SQL)

 

THIS TOPIC APPLIES TO:yesSQL Server (starting with 2008)noAzure SQL DatabasenoAzure SQL Data Warehouse noParallel Data Warehouse

Returns information from an audit file created by a server audit in SQL Server. For more information, see SQL Server Audit (Database Engine).

Applies to: SQL Server (SQL Server 2008 through current version).

Topic link icon Transact-SQL Syntax Conventions

  
fn_get_audit_file ( file_pattern,   
    { default | initial_file_name | NULL },   
    { default | audit_record_offset | NULL } )  

file_pattern
Specifies the directory or path and file name for the audit file set to be read. Type is nvarchar(260). This argument must include both a path (drive letter or network share) and a file name that can include a wildcard. A single asterisk (*) can be used to collect multiple files from an audit file set. For example:

  • <path>\* - Collect all audit files in the specified location.

  • <path>\LoginsAudit_{GUID} - Collect all audit files that have the specified name and GUID pair.

  • <path>\LoginsAudit_{GUID}_00_29384.sqlaudit - Collect a specific audit file.

System_CAPS_ICON_note.jpg Note


Passing a path without a file name pattern will generate an error.

initial_file_name
Specifies the path and name of a specific file in the audit file set to start reading audit records from. Type is nvarchar(260).

System_CAPS_ICON_note.jpg Note


The initial_file_name argument must contain valid entries or must contain either the default | NULL value.

audit_record_offset
Specifies a known location with the file specified for the initial_file_name. When this argument is used the function will start reading at the first record of the Buffer immediately following the specified offset.

System_CAPS_ICON_note.jpg Note


The audit_record_offset argument must contain valid entries or must contain either the default | NULL value. Type is bitint.

The following table describes the audit file content that can be returned by this function.

Column nameTypeDescription
event_timedatetime2Date and time when the auditable action is fired. Is not nullable.
sequence_numberintTracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. Is not nullable.
action_idvarchar(4)ID of the action. Is not nullable.
succeededbit

1 = success

0 = fail
Indicates whether the action that triggered the event succeeded. Is not nullable. For all events other than login events, this only reports whether the permission check succeeded or failed, not the operation.
permission_bitmaskvarbinary(16)In some actions, this is the permissions that were grant, denied, or revoked.
is_column_permissionbit

1 = true

0 = false
Flag indicating if this is a column level permission. Is not nullable. Returns 0 when the permission_bitmask = 0.
session_idsmallintID of the session on which the event occurred. Is not nullable.
server_principal_idintID of the login context that the action is performed in. Is not nullable.
database_principal_idintID of the database user context that the action is performed in. Is not nullable. Returns 0 if this does not apply. For example, a server operation.
target_server_principal_idintServer principal that the GRANT/DENY/REVOKE operation is performed on. Is not nullable. Returns 0 if not applicable.
target_database_principal_idintThe database principal the GRANT/DENY/REVOKE operation is performed on. Is not nullable. Returns 0 if not applicable.
object_idintThe ID of the entity on which the audit occurred. This includes the following:

Server objects

Databases

Database objects

Schema objects

Is not nullable. Returns 0 if the entity is the Server itself or if the audit is not performed at an object level. For example, Authentication.
class_typevarchar(2)The type of auditable entity that the audit occurs on. Is not nullable.
session_server_principal_namesysnameServer principal for session. Is nullable.
server_principal_namesysnameCurrent login. Is nullable.
server_principal_sidvarbinaryCurrent login SID. Is nullable.
database_principal_namesysnameCurrent user. Is nullable. Returns NULL if not available.
target_server_principal_namesysnameTarget login of action. Is nullable. Returns NULL if not applicable.
target_server_principal_sidvarbinarySID of target login. Is nullable. Returns NULL if not applicable.
target_database_principal_namesysnameTarget user of action. Is nullable. Returns NULL if not applicable.
server_instance_namesysnameName of the server instance where the audit occurred. The standard server\instance format is used.
database_namesysnameThe database context in which the action occurred. Is nullable. Returns NULL for audits occuring at the server level.
schema_namesysnameThe schema context in which the action occurred. Is nullable. Returns NULL for audits occuring outside a schema.
object_namesysnameThe name of the entity on which the audit occurred. This includes the following:

Server objects

Databases

Database objects

Schema objects

Is nullable. Returns NULL if the entity is the Server itself or if the audit is not performed at an object level. For example, Authentication.
statementnvarchar(4000)TSQL statement if it exists. Is nullable. Returns NULL if not applicable.
additional_informationnvarchar(4000)Unique information that only applies to a single event is returned as XML. A small number of auditable actions contain this kind of information.

One level of TSQL stack will be displayed in XML format for actions that have TSQL stack associated with them. The XML format will be:

<tsql_stack><frame nest_level = '%u' database_name = '%.*s' schema_name = '%.*s' object_name = '%.*s' /></tsql_stack>

Frame nest_level indicates the current nesting level of the frame. The Module name is represented in three part format (database_name, schema_name and object_name). The module name will be parsed to escape invalid xml characters like '<', '>', '/', '_x'. They will be escaped as _xHHHH_. The HHHH stands for the four-digit hexadecimal UCS-2 code for the character

Is nullable. Returns NULL when there is no additional information reported by the event.
file_namevarchar(260)The path and name of the audit log file that the record came from. Is not nullable.
audit_file_offsetbigintThe buffer offset in the file that contains the audit record. Is not nullable.
user_defined_event_idsmallintApplies to: SQL Server 2012 through SQL Server 2016.

User defined event id passed as an argument to sp_audit_write. NULL for system events (default) and non-zero for user-defined event. For more information, see sp_audit_write (Transact-SQL).
user_defined_informationnvarchar(4000)Applies to: SQL Server 2012 through SQL Server 2016.

Used to record any extra information the user wants to record in audit log by using the sp_audit_write stored procedure.

If the file_pattern argument passed to fn_get_audit_file references a path or file that does not exist, or if the file is not an audit file, the MSG_INVALID_AUDIT_FILE error message is returned.

Requires the CONTROL SERVER permission.

This example reads from a file that is named \\serverName\Audit\HIPPA_AUDIT.sqlaudit.

SELECT * FROM sys.fn_get_audit_file ('\\serverName\Audit\HIPPA_AUDIT.sqlaudit',default,default);  
GO  

For a full example about how to create an audit, see SQL Server Audit (Database Engine).

CREATE SERVER AUDIT (Transact-SQL)
ALTER SERVER AUDIT (Transact-SQL)
DROP SERVER AUDIT (Transact-SQL)
CREATE SERVER AUDIT SPECIFICATION (Transact-SQL)
ALTER SERVER AUDIT SPECIFICATION (Transact-SQL)
DROP SERVER AUDIT SPECIFICATION (Transact-SQL)
CREATE DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER DATABASE AUDIT SPECIFICATION (Transact-SQL)
DROP DATABASE AUDIT SPECIFICATION (Transact-SQL)
ALTER AUTHORIZATION (Transact-SQL)
sys.server_audits (Transact-SQL)
sys.server_file_audits (Transact-SQL)
sys.server_audit_specifications (Transact-SQL)
sys.server_audit_specification_details (Transact-SQL)
sys.database_audit_specifications (Transact-SQL)
sys.database_audit_specification_details (Transact-SQL)
sys.dm_server_audit_status (Transact-SQL)
sys.dm_audit_actions (Transact-SQL)
sys.dm_audit_class_type_map (Transact-SQL)
Create a Server Audit and Server Audit Specification

Community Additions

ADD
Show: