My team has been trying to implement STIG:
- SQL Server must provide an immediate real-time alert to appropriate support staff of all audit log failures (SV-213985r855969_rule).
Obviously, email notification is fast enough to satisfy real-time ask - no worries with that.
But we struggle to find clear definition what we need to monitor precisely.
Could somebody suggest if it's possible to monitor SQL audit failure in centralize way somehow like monitoring generic failure event of any kind?
If it's not the case, could you please suggest where I could find ultimate list of SQL audit failures events to monitor that match this STIG?
What we have tried so far:
- Select from Database Engine events and
sys.messages
if message says somethingabout 'audit' - Monitor selected EventIds logged in Windows Event Log
- Update. In our case SQL audit is usually configured with
ON_FAILURE = CONTINUE
, because up and running system takes precedence over shut down due to audit failure for customers. Although, they still need alerting when SQL audit failures happen. SQL Audit options I refered: link
But still we're not confident that manual selection covers all SQL audit failures might occur.
I'd really appreciate if you could share your experience and help to find more clarity on that.