Hi
We had configured the auditing feature in Enterprise Edition SQL SERVER 2008 for SELECTS statement but when we queried the table(fn_get_audit_file), we found event UPDATE statements captured with the action_id mapped to SELECTS (SL).Do you have any idea? Is it a bug or configuration issue?
Please find the below output which we have queried the fn_get_audit_file
action_id Statement
---------- -----------
AUSC
SL select * from employee
SL UPDATE [employee] set [id] = @1 WHERE [ID]=@2
Steps to reproduce the issue
1)create a test database
USE master
GO
CREATE database test
2)create an employee table in test database
USE test
GO
CREATE TABLE employee(id INT, name VARCHAR(10))
GO
3)Create a server audit
Note:-create a test folder in D drive
USE master
GO
CREATE SERVER AUDIT [PBDB8_2]
TO FILE
( FILEPATH = N'D:\test\'
,MAXSIZE = 0 MB
,MAX_ROLLOVER_FILES = 2147483647
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = CONTINUE
,AUDIT_GUID = '6714cf17-2563-4adf-bfe8-6dbeb5adca8b'
)
ALTER SERVER AUDIT [PBDB8_2] WITH (STATE = ON)
GO
4) Create an audit specification and configure select operation for employee table
USE [Test]
GO
CREATE DATABASE AUDIT SPECIFICATION [PBDB8_2]
FOR SERVER AUDIT [PBDB8_2]
ADD (SELECT ON OBJECT::[dbo].[employee] BY [public])
WITH (STATE = ON)
GO
5)Do DML operation in employee table
USE [Test]
GO
insertinto employee values(1,'test')
go
select*from employee
go
update employee set id=2where ID=1
6)Query the internal audit table
SELECT action_id,statementFROMsys.fn_get_audit_file('d:\test\*',default, default)