Share via


SQL Audit logs in Azure Log Analytics and Azure Event Hubs

We are pleased to announce that Azure SQL Database Audit logs can now be written directly to Azure Log Analytics or Azure Event Hubs. This ability, now available in public preview, provides SQL Database Auditing customers with an easy way to centrally manage all of their log data, along with a rich set of tools for consuming and analyzing database audit logs at scale.

Azure Log Analytics plays a central role in monitoring and management of your Azure environment. It enables collecting telemetry and other data from a variety of sources across Azure, and provides a query language and analytics engine for deep analysis and insights on the operation of applications and resources. For more information on the Log Analytics platform, see What is Azure Log Analytics.

With native support for saving SQL audit logs directly to Log Analytics, log data from all of your database resources can be gathered and stored in a single central location. The logs can now be analyzed using the rich analysis tools provided by the platform, which can provide deeper visibility and advanced cross-resource analytics.

In addition, SQL Server audit logs (from on-premises SQL Servers or SQL Servers on a VM) can also be collected in Log Analytics via OMS agent integration, as described in this article. Thus, you can manage and analyze all of your database audit logs, whether from the cloud or on-premises, in a single central location using the power of Azure Log Analytics.

Writing audit logs to Azure Log Analytics is as easy as selecting Log Analytics as a target in the Auditing configuration blade, whether configuring Auditing for the database server or for an individual database.

You can choose to write logs to an existing OMS workspace or create a new one. Once this option is configured, logs will be written directly to the OMS workspace where you can analyze them using Log Analytics. Take a look at this tutorial for viewing and analyzing data collected in Log Analytics to help get you started.

Azure Event Hubs is a big data streaming platform and event ingestion service, which can be used to stream events and process them in real time. Learn more about building a big data pipeline with Event Hubs in the Azure Event Hubs documentation.

With audit logs being written directly to an Event Hub, you can stream events to any data analytics service whether inside or outside Azure. This enables you to build a processing system for online analysis of logs, including anomaly detection or other real time alerting.

As with Log Analytics, you can configure writing logs to an Event Hub by choosing this option in the configuration blade.

You also have the flexibility to configure any combination of Azure Storage, Log Analytics and Event Hubs to store your SQL audit logs.

Please note that using Event hubs or Log Analytics as targets for audit logs at the server level is currently not supported for secondary geo-replicated databases. 

For more details on working with Auditing for Azure SQL Database, take a look at the Auditing Getting Started documentation.

 Try it out and let us know what you think!

 

SQL Security team

Comments

  • Anonymous
    December 04, 2018
    Thanks for the blog post, this is a great feature. Is there a plan to send ATP events to Log Analytics? When I attempt to enable this feature I get an error that says "Failed to save Auditing settings for server: . ErrorMessage: Category 'SQLSecurityAuditEvents' is not supported."
    • Anonymous
      December 11, 2018
      Glad to hear you like the feature!Unfortunately for a couple of days there was a temporary problem in enabling the path to Log Analytics - this should be resolved now. Please do try again and let us know if you are experiencing any additional issues.Thanks!
    • Anonymous
      May 03, 2019
      With regard to ATP: You can now get different ATP alerts into Log Analytics if you use Azure Sentinel. Others are coming.