0

In the SQL Server Audit Add DB User Event Class, there are four Event Sub Classes defined:

  1. Add
  2. Drop
  3. Grant database access
  4. Revoke database access

(MS documentation found here)

When I set up SQL Server Profiler to trace the Audit Add DB User Event Class, it only seems to capture events with a subclass of 3 or 4, and not 1 or 2.

To test the trace, I am using the following SQL statements:

CREATE USER testuser FOR LOGIN testlogin;
DROP USER testuser;

When I run these statements in SQL Server Management Studio, SQL Server Profiler displays two Audit Add DB User Events, one with EventSubClass 3 (Grant database access) and one with EventSubClass 4 (Revoke database access), but does not display anything for EventSubClass 1 (Add) or EventSubClass 2 (Drop).

From what I can tell, all three even subclasses should be covered by the SQL statements used above. Is there something additional that needs to be configured in order to capture these event subclasses?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Zerker
  • 125
  • 7
  • I should add that I am able to see the event with EventSubClass 2 if I use "sp_dropuser" instead of the "Drop User" statement, but using the corresponding "sp_adduser" proc still does not cause a EventSubClass 1 to show up in the trace. – Zerker Nov 13 '18 at 20:06

1 Answers1

0

The old trace functionality has been deprecated since 2012. I did some testing and depending on what commands I executed I could get 2. But I never managed to get 1. If you look at the documentation for this event class, you'll see that it is documented to provide information when you use the ancient procedures sp_adduser, sp_dropuser, etc. But even when doing that it seems a bit flaky.

Sure, one could report this to MS, but they will (most likely) just say that you should use a technology which isn't deprecated. I.e., Extended Events. I very much doubt that MS will pour any resources into fixing this, even if that would consider this to be a bug in the first place. So, my recommendation will be the same: Look into Extended Events instead.

Here's a blog I wrote about "getting into" XE: http://sqlblog.karaszi.com/tips-for-getting-started-with-extended-events/

Tibor Karaszi
  • 379
  • 1
  • 7
  • Thanks @Tibor, This is in line with what I've been thinking (and seeing). The project I'm working on requires the use of these older style events at this point (without a major rework), so I'm going to have to make do with what is available. I will report the bug to MS and leave it up to them, but as you said, there isn't likely much appetite for addressing issues with deprecated features. – Zerker Nov 14 '18 at 11:45
  • Let us know if you get a reply, Zerker :-) – Tibor Karaszi Nov 14 '18 at 11:55