Azure Log Analytics (OMS) Agent now collects SQL Server audit logs

First published on MSDN on Dec 28, 2017

We are happy to inform that the Azure Log Analytics () Agent is now capable of pushing audit logs into Azure Log Analytics (), supporting both on-premises, as well as on Azure VMs.

The Azure Log Analytics () platform can now be used as a centralized data store for all your audit logs, for deeper visibility and advanced cross-resource analytics. Additional info on the platform can be found in

What is Log Analytics

.


To enable this new capability, SQL Server audit logs need to be written to the
Windows Application Log
. This can be configured using T-SQL, as well as via the Audit Properties in SSMS:

T-SQL example:

CREATE SERVER AUDIT MyServerAudit

TO APPLICATION_LOG

WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)

SSMS example:


After setting up SQL Server auditing as described above, the Azure Log Analytics (OMS) agent should be configured to send logs to a Workspace. This can be done from
Control Panel
–>
Microsoft Monitoring Agent Properties
–>
Azure Log Analytics (OMS)


Finally, the Azure Log Analytics (OMS) Workspace needs to be configured to collect Application Logs. This can be done from the Azure Login Analytics / OMS portals via
Settings
–>
Data
–>
Windows Event Logs
–>
Application
:

Additional info:


SQL Server Auditing



Log Analytics (OMS) – documentation



Log Analytics (OMS) – Collect data from Windows computers



Log Analytics (OMS) – Collect data from Azure VMs


SQL Security team

 

This article was originally published by Microsoft's Azure SQL Database Blog. You can find the original article here.