Manage Access Audits¶

The Microsoft SQL Server connector provides access auditing capabilities to help organizations track user activity, ensure compliance, and enhance security monitoring. This feature allows you to collect and process audit logs from Microsoft SQL Server audit files. Audit logs can be stored in Azure Blob Storage (for Azure SQL) or in local file systems (for on-premises SQL Server installations).

Audit Configuration¶

Audit Enable: Enables audit logs for the Microsoft SQL Server connector. Set this property to true to enable audit logs.

Storage URL: Specifies the storage location where SQL Server audit logs are stored. For Azure SQL, this should be an Azure Blob Storage URL. For on-premises SQL Server, this should be the local file system path where audit logs are written. For Azure Blob Storage, the URL format should be: https://<storage_account>.blob.core.windows.net/<container>/<mssql_server_name>.

Example: https://sqlaudit.blob.core.windows.net/sqldbauditlogs/my-sql-server

Important

The <mssql_server_name> portion of the URL must be your actual MSSQL server name. You can find this by checking your Azure Blob Storage container - the server name will appear as a directory inside the container. See the Verify Audit Configuration section below for details.

Audit Load Key: Specifies the audit loading mechanism used by the connector. This property determines how audit logs are processed:

load: Use this value for standard Microsoft SQL Server databases.
load_synapse: Use this value for Azure Synapse Analytics databases.

Audit Initial Pull Minutes: Specifies the number of minutes in the past from which to start pulling audit logs when the connector first runs. This helps ensure that historical audit data is captured. Default: 30 minutes.

Audit Excluded Users: Comma-separated list of users to exclude from audit processing. Audit logs for these users will not be processed by the connector. This is useful for excluding service accounts or administrative users from audit collection.

Example: admin_user,service_account@domain.com

Audit Sync Interval: Specifies the interval (in seconds) at which the connector synchronizes and processes audit logs. Default: 30 seconds.

Prerequisites¶

Before configuring access audits, you need to set up SQL Server auditing in Azure. Follow these steps:

Enable Azure SQL Auditing¶

Log in to the Azure portal.
Search for the SQL Servers in which you want to configure MSSQL auditing.
Select the SQL Server (or SQL Database), and then click Auditing.
Click the Enable Azure SQL Auditing toggle button to turn on Azure SQL Auditing.
Select the Storage checkbox to set the audit log destination to a storage account, and then select your existing storage account from the Storage Details.
Click Save.

Configure Azure Cloud Shell¶

Click the Cloud shell icon in the top menu bar, and then select PowerShell.
Click Show advanced settings.
In the Cloud Shell region, enter your region.
In the Storage account, select Use existing.
In the File share, select Create new, and then enter a name.
Click Create storage.
The Cloud PowerShell window will appear. You can now run your commands in PowerShell.

If you have an Azure SQL Database, run:

PowerShell

Set-AzSqlServerAudit -ResourceGroupName "${RESOURCE_GROUP}" -ServerName "${MSSQL_SERVER_NAME}" -AuditActionGroup SCHEMA_OBJECT_ACCESS_GROUP,DATABASE_OBJECT_CHANGE_GROUP,SCHEMA_OBJECT_CHANGE_GROUP

If you have an Azure Synapse Database, run:

PowerShell

Set-AzSqlServerAudit -ResourceGroupName "${RESOURCE_GROUP}" -ServerName "${MSSQL_SERVER_NAME}" -AuditActionGroup BATCH_COMPLETED_GROUP

Verify Audit Configuration and Get Storage URL¶

Go to the storage account configured for MSSQL auditing and click Containers.

Note

Make sure that your MSSQL Server name directory is visible inside your audit log container. It may take a few minutes to appear.
Navigate into your audit log container (e.g., sqldbauditlogs). You should see a directory with your MSSQL server name (e.g., my-sql-server).
Go to Properties, and copy the container URL (e.g., https://sqlaudit.blob.core.windows.net/sqldbauditlogs).
Your Audit storage URL will be: ${CONTAINER_URL}/${MSSQL_SERVER_NAME}

For example: https://sqlaudit.blob.core.windows.net/sqldbauditlogs/my-sql-server

Do not use only the container URL

The storage URL must include the SQL Server name directory, otherwise the connector will not find audit logs and will show: auditLogsCount: 0

SQL Server On-Premises Setup¶

Perform the following steps to enable auditing locally.

Supported Version

The MSSQL connector currently supports SQL Server 2019 for on-premises deployments. Refer to the supported matrix for the latest supported versions.

Step 1: Docker Compose

Create a docker-compose.yml file with the following configuration:

YAML
version: "3.8"

services:
  sqlserver:
    image: mcr.microsoft.com/mssql/server:2019-latest
    container_name: sqlserver2019
    environment:
      - ACCEPT_EULA=Y
      - MSSQL_SA_PASSWORD=welcome1
      - MSSQL_PID=Developer
    ports:
      - "1433:1433"
    volumes:
      - sqlserver-data:/var/opt/mssql
      - ./audit-logs:/var/opt/mssql/audit
    restart: unless-stopped

volumes:
  sqlserver-data:

Step 2: Create Audit Logs Directory

Create the audit logs directory on the host and set appropriate permissions:

Bash
mkdir -p audit-logs
chmod 777 audit-logs

Step 3: Start SQL Server Container

Start the SQL Server container using Docker Compose:

Bash
docker compose up -d

Step 4: Configure Server Audit

Connect to SQL Server using a database management tool (such as DBeaver) and run the following SQL queries to create and enable the server audit:

SQL
CREATE SERVER AUDIT SQL_Server_Audit
TO FILE (
    FILEPATH = '/var/opt/mssql/audit',
    RESERVE_DISK_SPACE = ON
);

ALTER SERVER AUDIT SQL_Server_Audit WITH (STATE = ON);

CREATE SERVER AUDIT SPECIFICATION Audit_Spec
FOR SERVER AUDIT SQL_Server_Audit
ADD (FAILED_LOGIN_GROUP),
ADD (SUCCESSFUL_LOGIN_GROUP);

ALTER SERVER AUDIT SPECIFICATION Audit_Spec WITH (STATE = ON);

Step 5: Verify Server Audit Configuration

Verify that the server audit is configured and enabled:

SQL
SELECT name, state_desc FROM sys.server_audits;

Query audit logs to verify they are being written:

SQL
SELECT * FROM sys.fn_get_audit_file('/var/opt/mssql/audit/*.sqlaudit', DEFAULT, DEFAULT);

To check recent audit events:

SQL
SELECT TOP 5 
    event_time,
    action_id,
    server_principal_name
FROM sys.fn_get_audit_file('/var/opt/mssql/audit/*.sqlaudit', DEFAULT, DEFAULT)
ORDER BY event_time DESC;

Step 6: Create Database Audit Specification

To capture table-level operations, create a database audit specification for your target database:

SQL
-- Switch to the target database
USE connector_automation_db;

-- Create Database Audit Specification
CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpec_Privacera]
FOR SERVER AUDIT [SQL_Server_Audit]
ADD (SELECT ON SCHEMA::[customer_schema] BY [public]),
ADD (INSERT ON SCHEMA::[customer_schema] BY [public]),
ADD (UPDATE ON SCHEMA::[customer_schema] BY [public]),
ADD (DELETE ON SCHEMA::[customer_schema] BY [public])
WITH (STATE = ON);

Note

This audits all operations on all objects in the customer_schema schema. If you want to audit specific tables only, you can modify the specification accordingly.

Step 7: Verify Database Audit Specification

Verify that the database audit specification is enabled:

SQL
SELECT 
    name,
    is_state_enabled,
    create_date,
    modify_date
FROM sys.database_audit_specifications
WHERE name = 'DatabaseAuditSpec_Privacera';

Step 8: Test Audit Logging

Perform test operations to verify audit logging is working:

SQL
-- Test SELECT operation
SELECT * FROM customer_schema.customer_data WHERE id = 1;

Query audit logs filtered for your table:

SQL
SELECT 
    event_time,
    action_id,
    server_principal_name,
    database_principal_name,
    database_name,
    schema_name,
    object_name,
    statement,
    succeeded
FROM sys.fn_get_audit_file('/var/opt/mssql/audit/*.sqlaudit', DEFAULT, DEFAULT)
WHERE database_name = 'connector_automation_db'
  AND schema_name = 'customer_schema'
  AND object_name = 'customer_data'
  AND event_time >= DATEADD(MINUTE, -10, GETDATE())  -- Last 10 minutes
ORDER BY event_time DESC;

Check recent audit events:

SQL
SELECT TOP 10
    event_time,
    action_id,
    server_principal_name,
    database_name,
    schema_name,
    object_name,
    statement
FROM sys.fn_get_audit_file('/var/opt/mssql/audit/*.sqlaudit', DEFAULT, DEFAULT)
WHERE database_name = 'connector_automation_db'
ORDER BY event_time DESC;

Step 9: Configure Service User Permissions

The service user (e.g., privacera_connector) requires specific permissions to query audit logs and configuration.

Grant Server-Level Permissions¶

The sys.fn_get_audit_file() function requires VIEW SERVER STATE permission:

SQL
GRANT VIEW SERVER STATE TO [privacera_connector];

For querying audit configuration:

SQL
GRANT VIEW ANY DEFINITION TO [privacera_connector];

Grant Database Permissions¶

For read-only audit access:

SQL
ALTER ROLE db_datareader ADD MEMBER [privacera_connector];

For full database operations (if connector manages resources):

SQL
ALTER ROLE db_owner ADD MEMBER [privacera_connector];

File System Permissions¶

Important

The SQL Server service account must have read/write access to the audit output path directory (e.g., /var/opt/mssql/audit/). Ensure the service account has appropriate file system permissions to access the audit log files.

Setup¶

Warning

Ensure that SQL Server audit is properly configured and writing logs to the specified Azure Blob Storage location.
The Storage URL must be accessible by the JDBC user credentials configured in the connector.
Replace the example values with your actual values.

Self Managed (YAML Configuration) and Data PlanePrivaceraCloud

SSH to the instance where Privacera Manager is installed.
Run the following command to open the .yml file to be edited.

If you have multiple connectors, then replace instance1 with the appropriate connector instance name.
Bash
1
vi ~/privacera/privacera-manager/config/custom-vars/connectors/mssql/instance1/vars.connector.mssql.yml

Update or add the following properties:

YAML
CONNECTOR_MSSQL_AUDIT_ENABLE: "true"
CONNECTOR_MSSQL_AUDIT_STORAGE_URL: "https://sqlaudit.blob.core.windows.net/sqldbauditlogs/my-sql-server"
CONNECTOR_MSSQL_AUDIT_LOAD_KEY: "load"
CONNECTOR_MSSQL_AUDIT_INITIAL_PULL_MINUTES: "30"
CONNECTOR_MSSQL_AUDIT_EXCLUDED_USERS: "admin_user,service_account@domain.com"
CONNECTOR_MSSQL_AUDIT_SYNC_INTERVAL: "30"

Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1 2
cd ~/privacera/privacera-manager ./pm_with_helm.sh upgrade
Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
Bash
1 2
cd ~/privacera/privacera-manager ./privacera-manager.sh post-install

In PrivaceraCloud portal, navigate to Settings → Applications.
On the Connected Applications screen, select MSSQL.
Click the pen icon or the Account Name to modify the settings.
On the Edit Application screen, go to Access Management.
Under the BASIC tab, enable Enable access audits using the toggle button.
Enter a value in the Audits storage URL field. Example: https://sqlaudit.blob.core.windows.net/sqldbauditlogs/my-sql-server
Under the ADVANCED tab, enter the following value:
- Users to exclude when fetching access audits: admin_user,service_account@domain.com

Add the following custom properties to control audit loading and synchronization behavior under Add New Custom Properties:

Bash
ranger.policysync.connector.0.audit.initial.pull.min=30
ranger.policysync.connector.0.audit.interval.sec=30
ranger.policysync.connector.0.load.audits=load

Click SAVE to apply the changes.

Prev topic: Advanced Configuration