First published on MSDN on Dec 28, 2017
We are happy to inform that the Azure Log Analytics (OMS) Agent is now capable of pushing SQL Server audit logs into Azure Log Analytics (OMS), supporting SQL Server both on-premises, as well as on Azure VMs.
The Azure Log Analytics (OMS) platform can now be used as a centralized data store for all your SQL Server audit logs, for deeper visibility and advanced cross-resource analytics. Additional info on the platform can be found in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-overview .
To enable this new capability, SQL Server audit logs need to be written to the Windows Application Log . This can be configured using T-SQL, as well as via the Audit Properties in SSMS:
T-SQL example:
CREATE SERVER AUDIT MyServerAudit
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
SSMS example:
After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from Control Panel --> Microsoft Monitoring Agent Properties --> Azure Log Analytics (OMS)
Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via Settings --> Data --> Windows Event Logs --> Application :
Additional info:
https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine
https://docs.microsoft.com/en-us/azure/log-analytics/
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-collect-windows-computer
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-collect-azurevm
SQL Security team
We are happy to inform that the Azure Log Analytics (OMS) Agent is now capable of pushing SQL Server audit logs into Azure Log Analytics (OMS), supporting SQL Server both on-premises, as well as on Azure VMs.
The Azure Log Analytics (OMS) platform can now be used as a centralized data store for all your SQL Server audit logs, for deeper visibility and advanced cross-resource analytics. Additional info on the platform can be found in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-overview .
To enable this new capability, SQL Server audit logs need to be written to the Windows Application Log . This can be configured using T-SQL, as well as via the Audit Properties in SSMS:
T-SQL example:
CREATE SERVER AUDIT MyServerAudit
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
SSMS example:
After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from Control Panel --> Microsoft Monitoring Agent Properties --> Azure Log Analytics (OMS)
Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via Settings --> Data --> Windows Event Logs --> Application :
Additional info:
https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine
https://docs.microsoft.com/en-us/azure/log-analytics/
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-collect-windows-computer
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-quick-collect-azurevm
SQL Security team
Updated Nov 09, 2020
Version 5.0
