安全圈 | 专注于最新网络信息安全讯息新闻

 首页

审计使用

作者 armann 时间 2020-02-18
all

这篇文章的内容

在Azure SQL Database及SQL Data Warehouse的审计中,数据库事件被跟踪,Azure存储帐号,Log Analytics工作空间,或Event Hubs的审计记录中写入事件。Auditing for Azure SQL Database and SQL Data Warehouse tracks database events and writes them to an audit log in your Azure storage account,Log Analytics workspace or Eveeveeevents and wrevents thes them them them to an to an an audito an audit log in log in yont Hubs.还可以通过审计进行以下操作。Auditing also:

维持规定的合规,了解数据库活动,以及对商业上的担忧和怀疑违反安全性犯罪的差异和对异常的洞察变得容易。Helps you maintain regulatory compliance,understand database activity,and gain insight into discrepancies and anomalies that could indicate business concerns or suspectededed indicate business concerns or suspectededededicteded indicate businsinsinsinesiness cooncerns security violations.

虽然不能保证对齐,但将增强对默认的共识。Enables and facilitates adherence to compliance standards,although it doesn't guarantee compliance.支持标准Azure程序的详情,请参照Azure安全中心。从这里可以得到最新的SQL Database合规证书一览表。For more information about Azure programs that support standards compliance,see the Azure Trust Center where you can find the most current list of SQL Database compliance compliance ce current current current list of SQL SQL Database SQL Database compliancompliance coertifications

维持规定的合规,了解数据库活动,以及对商业上的担忧和怀疑违反安全性犯罪的差异和对异常的洞察变得容易。Helps you maintain regulatory compliance,understand database activity,and gain insight into discrepancies and anomalies that could indicate business concerns or suspectededed indicate business concerns or suspectededededicteded indicate businsinsinsinesiness cooncerns security violations.

虽然不能保证对齐,但将增强对默认的共识。Enables and facilitates adherence to compliance standards,although it doesn't guarantee compliance.支持标准Azure程序的详情,请参照Azure安全中心。从这里可以得到最新的SQL Database合规证书一览表。For more information about Azure programs that support standards compliance,see the Azure Trust Center where you can find the most current list of SQL Database compliance compliance ce current current current list of SQL SQL Database SQL Database compliancompliance coertifications

注意

此话题除了Azure SQL服务器以外,也适用于那个Azure SQL服务器制作的SQL Database和SQL Data Warehouse。This topic applies to Azure SQL server,and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server.为了易懂,用SQL Datatabase这个词用SQL Database SQL DL Data Data base SQL Data SQL Data SQL Data SQL SQL SQL SQL SQL SQL表示atabase和SQL Data Warehouse双方。For simplicity,SQL Database is used when referring to both SQL Database and SQL Data Warehouse.

注意

这个报道最近,不是Log Analytics Azure Monitor Log这个用语被更新了。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics.Log Analytics.Log Analytics was recently updated to use the term Azure Monitor logs instead of Log Analytics.Log Analytics.Log Analytics.Log Analytics.L为了更好地反映Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service.Azure Monitor日志的作用,更新了术语。We are updating the terminology to better reflect the role of logs in Azure Monitor.详细情况请看关于Azure Monitor术语的变更的页面。See Azure Monitor terminology changes for details.

Azure SQL数据库审计概要Azure SQL database auditing overview

使用SQL Database审计可以进行以下操作:You can use SQL database auditing to:

重要

审计日志被写入Azure辅助脚本Azure Blob Storage内的追加BLOB。Audit logs are written to Append Blobs in Azure Blob storage on your Azure subscription.

服务器级别和数据库定义级别的审计策略的Define server-level vs.database-level auditing policy

您可以为特定数据库定义监测策略,或者作为预定的服务器策略。An auditing policy can be defined for a specific database or as a default server policy:

服务器策略应用于服务器上的现有和新建的所有数据库。A server policy applies to all existing and newly created databases on the server.

如果“服务器BLOB审计有效”则将始终应用于数据库。If server blob auditing is enabled,it always applies to the database.与数据库审计设定无关,数据库被审计。The database will be audited,regardless of the database auditing setttings.

不仅是服务器,在数据库和数据软件房启用BLOB监查,服务器的BLOB监查的设定也不会被超载或变更。Enabling blob auditing on the database or data warehouse,in addition to enabling it on the server,does noet override or change any of the setttings of the server blob auditing.哪一个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个.oes oes noes n审计也并行存在。Both audits will exist side by side.也就是说,数据库并行2次被监查(1次根据服务器策略,再1次根据数据库策略被监查)。In other words,the database is audited twice in parallel; once by the server policy and once by the database policy.

注意

除了以下情况,请避免启用服务器BLOB审计和数据库BLOB审计两者。You should avoid enabling both server blob auditing and database blob auditing together,unless:

如果不符合这些,建议只启用服务器级别的BLOB审计,对所有数据库禁用数据库级别的审计。Otherwise,we recommended that you enable only server-level blob auditing and leave the database-level auditing disabled for all databases.

服务器策略应用于服务器上的现有和新建的所有数据库。A server policy applies to all existing and newly created databases on the server.

如果“服务器BLOB审计有效”则将始终应用于数据库。If server blob auditing is enabled,it always applies to the database.与数据库审计设定无关,数据库被审计。The database will be audited,regardless of the database auditing setttings.

不仅是服务器,在数据库和数据软件房启用BLOB监查,服务器的BLOB监查的设定也不会被超载或变更。Enabling blob auditing on the database or data warehouse,in addition to enabling it on the server,does noet override or change any of the setttings of the server blob auditing.哪一个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个哪个.oes oes noes n审计也并行存在。Both audits will exist side by side.也就是说,数据库并行2次被监查(1次根据服务器策略,再1次根据数据库策略被监查)。In other words,the database is audited twice in parallel; once by the server policy and once by the database policy.

注意

除了以下情况,请避免启用服务器BLOB审计和数据库BLOB审计两者。You should avoid enabling both server blob auditing and database blob auditing together,unless:

如果不符合这些,建议只启用服务器级别的BLOB审计,对所有数据库禁用数据库级别的审计。Otherwise,we recommended that you enable only server-level blob auditing and leave the database-level auditing disabled for all databases.

设定对数据库的审计的Set up auditing for your database

以下部分将描述使用Azure Portal的审计结构。The following section describes the configuration of auditing using the Azure portal.

访问门户。Go to the Azure portal.

SQL数据库/服务器佩恩的[安全]移动到标题下面的[审计]。Navigate to Auditing under the Security heading in your SQL database/server pane.

设置服务器的审计策略时,可以选择数据库审计页面的[显示服务器设置]链接。If you prefer to set up a server auditing policy,you can select the View server settings link on the database auditing page.这样一来,就可以显示或修改服务器监查设定。You can then view or modify the server auditing settings.服务器监视策略被应用于服务器上的所有现有数据库和新建的数据库。Server auditing policies apply to all existing and newly created databases on this server.

在数据库级别中启用审计时,将[审计]切换到[ON](打开)。If you prefer to enable auditing on the database level,switch Auditing to ON.

如果服务器的审计已启用,则数据库配置审计与服务器审计并存。If server auditing is enabled,the database-configured audit will exist side-by-side with the server audit.

新建-您可以从多个选项中选择要写入审计日志的位置。New-You now have multiple options for configuring where audit logs will be written.日志可以写入Azure存储帐号、Log Analytics工作空间(在Azure Monitor日志中使用)、事件中枢(在活动中枢使用)中。You can write logs to an Azure storage account,to a Log Analytics workspace for consumption by Azure Monitor logs,or to event hub for consumption using event hub.这些选项.这些选项(op to event hub.这些选项.这些选项)对话框可以组合,并在每个位置写入审计日志。You can configure any combination of these options,and audit logs will be written to each.

访问门户。Go to the Azure portal.

SQL数据库/服务器佩恩的[安全]移动到标题下面的[审计]。Navigate to Auditing under the Security heading in your SQL database/server pane.

设置服务器的审计策略时,可以选择数据库审计页面的[显示服务器设置]链接。If you prefer to set up a server auditing policy,you can select the View server settings link on the database auditing page.这样一来,就可以显示或修改服务器监查设定。You can then view or modify the server auditing settings.服务器监视策略被应用于服务器上的所有现有数据库和新建的数据库。Server auditing policies apply to all existing and newly created databases on this server.

在数据库级别中启用审计时,将[审计]切换到[ON](打开)。If you prefer to enable auditing on the database level,switch Auditing to ON.

如果服务器的审计已启用,则数据库配置审计与服务器审计并存。If server auditing is enabled,the database-configured audit will exist side-by-side with the server audit.

新建-您可以从多个选项中选择要写入审计日志的位置。New-You now have multiple options for configuring where audit logs will be written.日志可以写入Azure存储帐号、Log Analytics工作空间(在Azure Monitor日志中使用)、事件中枢(在活动中枢使用)中。You can write logs to an Azure storage account,to a Log Analytics workspace for consumption by Azure Monitor logs,or to event hub for consumption using event hub.这些选项.这些选项(op to event hub.这些选项.这些选项)对话框可以组合,并在每个位置写入审计日志。You can configure any combination of these options,and audit logs will be written to each.

警告

启用对Log Analytics的审计后,会产生基于摘要速率的成本。Enabling auditing to Log Analytics will incur cost based on ingestion rates.请考虑在知道使用了这个选项的情况下是利用成本,还是将审计日志存储到Azure存储账户中。Please be aware of the associated cost with using this option,or consider storing the audit logs in an Azure storage account.

![ストレージ オプション](./media/sql-database-auditing-get-started/auditing-select-destination.png)

选择[存储]并打开[容量详情]以便在存储帐户中写入审计日志。To configure writing audit logs to a storage account,select Storage and open Storage details.保存日志选择Azure存储账户,并选择使用期限。Select the Azure storage account where logs will be saved,and then select the retention period.旧的记录被删除。The old logs wil be deleted.接下来点击[OK]Then click OK.

重要

要配置到Log Analytics工作空间的监查日志的写入,选择[Log Analytics(预览)]打开[Log Analytics的详细信息]。To configure writing audit logs to a Log Analytics workspace,select Log Analytics(Preview)and open Log Analytics details.写入日志的Log Analytics工作空间选择或创建[OK OK OK Analytics.工作空间(Preview)and open open Log Analytics details.details.写入日志的Log Analy]单击。Select or create the Log Analytics workspace where logs will be written and then click OK.

事件要配置到集线器的审计日志的写入,请选择[事件集线器(预览)]并打开[事件集线器详细信息]。To configure writing audit logs to an event hub,select Event Hub(Preview)and open Event Hub details.选择要写入日志的事件中心并点击[OK]。Select the event hub where logs will be written and then click OK.事件确认枢纽与使用的数据库以及服务器在同一版本。Be sure that the event hub is in the same region as your database and server.

[保存]单击。Click Save

如果您想要自定义审计对象事件,请使用PowerShell命令红色或REST API。If you want to customize the audited events,you can do this via PowerShell cmdlets or the REST API.

重要

无法在暂停中的Azure SQL Data Warehouse启用审计。要启用Enabling auditing on an paused Azure SQL Data Warehouse is not possible.请解除Data Warehouse暂停。To enable it,un-pause the Data Warehouse.

警告

如果在Azure SQL Data Warehouse运行的服务器中启用审计的话,Data Warehouse再度开始成为临时停止,可能会发生收费。Enabling auditing on a server that has an Azure SQL Data Warehouse on it will result in the Data Warehouse being resumed and re-paused again which may incur in billing chargeresused again again which which may inch incur incur in in billing charresumed chargeresumed s

分析审计日志和报告的Analyze audit logs and reports

将审计日志写入Azure Monitor日志时:If you chose to write audit logs to Azure Monitor logs:

使用Azure Portal。打开Use the Azure portal.相关的数据库。点击Open the relevant database.数据库的[审计]页面上部的[显示审计日志]。At the top of the database's Auditing page,click View audit logs.

显示日志有两种方法。Then,you have two ways to view the logs:

[审计记录]单击页面顶部[Log Analytics]后,在Log Analytics工作区打开日志视图。在此视图中,您可以自定义时间范围和搜索查询。Clicking on Log Analytics at the top of the Audit records page will open the Logs view in Log Analytics workspace,where you can customize the the the the time range and the search quererearch querearch querearch querearch querearch querearuerearch quereary

[审计记录]在页面上[显示仪表板]单击后,会打开显示审计日志信息的仪表板。在此,您可以执行对安全分析信息的钻探和对微型数据的访问。Clicking View dashboard at the top of the Audit records page will open a dashboard displaying audit logs info,where you can drill down into Security Insights,Acchere you can drilll down into Security Insights,Acurity Insights,Acchts,Acccccess to Sensitive Data and more.这个仪表板被设计成有助于获得数据的安全分析信息。This dashboard is designed to help you gain security insights for your data.可以定制时间范围和搜索查询。You can also customize the time range and search query.

同时,从Log Analytics刀片也能访问审计日志。打开Alternatively,you can also access the audit logs from Log Analytics blade.自己的Log Analytics工作空间,在[全般]区域点击[日志]。为了显示Open your Log Analytics workspace and under General section,click Logs.审计日志,可以从search“SQLSecurityAuditEvents”等简单的查询开始。You can start with a simple query,such as:search"SQLSecurityAuditEvents"to view the audit logs.从这里可以使用Azure Monitor日志,对审计日志的数据进行详细检索。根据From here,you can also use Azure Monitor logs to run advanced searches on your audit log data.Azure Monitor记录,使用被整合了的检索和自定义板操作因为现场能得到,工作交叉路和服务器全体散布的数百万件记录也可以马上分析。Azure Monitor logs gives you real-time operational insights using integrated search and custom dashboards to readily analyze milllions of records across all your worklllllllize milllions of records across across all yourl your your your workllll workllllion关于oads and servers.Azure Monitor Log搜索语言和命令的有用附加信息,请参照Azure Monitor Log搜索参考文件请看地图。For additional useful information about Azure Monitor logs search language and commands,see Azure Monitor logs search reference.

使用Azure Portal。打开Use the Azure portal.相关的数据库。点击Open the relevant database.数据库的[审计]页面上部的[显示审计日志]。At the top of the database's Auditing page,click View audit logs.

显示日志有两种方法。Then,you have two ways to view the logs:

[审计记录]单击页面顶部[Log Analytics]后,在Log Analytics工作区打开日志视图。在此视图中,您可以自定义时间范围和搜索查询。Clicking on Log Analytics at the top of the Audit records page will open the Logs view in Log Analytics workspace,where you can customize the the the the time range and the search quererearch querearch querearch querearch querearch querearuerearch quereary

[审计记录]在页面上[显示仪表板]单击后,会打开显示审计日志信息的仪表板。在此,您可以执行对安全分析信息的钻探和对微型数据的访问。Clicking View dashboard at the top of the Audit records page will open a dashboard displaying audit logs info,where you can drill down into Security Insights,Acchere you can drilll down into Security Insights,Acurity Insights,Acchts,Acccccess to Sensitive Data and more.这个仪表板被设计成有助于获得数据的安全分析信息。This dashboard is designed to help you gain security insights for your data.可以定制时间范围和搜索查询。You can also customize the time range and search query.

同时,从Log Analytics刀片也能访问审计日志。打开Alternatively,you can also access the audit logs from Log Analytics blade.自己的Log Analytics工作空间,在[全般]区域点击[日志]。为了显示Open your Log Analytics workspace and under General section,click Logs.审计日志,可以从search“SQLSecurityAuditEvents”等简单的查询开始。You can start with a simple query,such as:search"SQLSecurityAuditEvents"to view the audit logs.从这里可以使用Azure Monitor日志,对审计日志的数据进行详细检索。根据From here,you can also use Azure Monitor logs to run advanced searches on your audit log data.Azure Monitor记录,使用被整合了的检索和自定义板操作因为现场能得到,工作交叉路和服务器全体散布的数百万件记录也可以马上分析。Azure Monitor logs gives you real-time operational insights using integrated search and custom dashboards to readily analyze milllions of records across all your worklllllllize milllions of records across across all yourl your your your workllll workllllion关于oads and servers.Azure Monitor Log搜索语言和命令的有用附加信息,请参照Azure Monitor Log搜索参考文件请看地图。For additional useful information about Azure Monitor logs search language and commands,see Azure Monitor logs search reference.

将审计日志写入事件集线器中:If you chose to write audit logs to Event Hub:

如果选择将审计日志写入Azure存储账户中,可以使用多种方式显示日志。If you chose to write audit logs to an Azure storage account,there are several methods you can use to view the logs:

审计日志将在设置时用选定的账户进行合计。可以使用Audit logs are aggregated in the account you chose during setup.Azure存储管理器等工具来调查审计日志。在You can explore audit logs by using a tool such as Azure Storage Explorer.Azure Storage,审计日志作为名为sqldbauditlogs的集装箱内保存为BLOB文件的收藏。In Azure storage,auditing logs are saved as a collection of blob files within a container named sqldbauditlogs.关于存储文件夹的层次、命名规则、日志形式的详情,请参照“SQL Database审计日志形式”。For further details about the hierarchy of the storage folders,naming conventions,and log format,see the SQL Database Audit Log Format.

使用Azure Portal。打开Use the Azure portal.相关的数据库。点击Open the relevant database.数据库的[审计]页面上部的[显示审计日志]。At the top of the database's Auditing page,click View audit logs.

[审计记录]打开。您可以在这里查看日志。Audit records opens,from which you'll be able to view the logs.

[审计记录]单击页面上的[过滤器]可显示特定日期。You can view specific dates by clicking Filter at the top of the Audit records page.

[Show only audit records for SQL injections](仅显示SQL注册的审计记录)选中复选框后,只显示SQL注册相关的审计记录。You can view only SQL injection related audit records by checking Show only audit records for SQL injections checkbox.

系统函数sys.fn_get_audit_file(T-SQL)以表格形式返回审计日志数据。Use the system function sys.fn_get_audit_file(T-SQL)to return the audit log data in tabular format.关于这个函数的使用方法的详细内容,请看关于sys.fn_get_audit_file的页面。For more information on using this function,see sys.fn_get_audit_file.

使用SQL Server Management Studio(SSMS 17以后)中的[合并审计文件]。Use Merge Audit Files in SQL Server Management Studio(starting with SSMS 17):

从SSMS的菜单中选择[文件][打开][合并审计文件]。From the SSMS menu,select File Open Merge Audit Files.

[添加审计文件]对话框。选择The Add Audit Files dialog box opens.[追加]选项,从本地磁盘合并审计文件,或者从Azure Storage导入。Select one of the Add options to choose whether to merge audit files from a local disk or import them from Azure Storage.Microsoft Azure Storage的详细帐号。You are required to provide your Azure Storage details and account key.

添加所有要合并的文件后,点击[OK]完成合并操作。After all files to merge have been added,click OK to complete the merge operation.

在SSMS上打开合并的文件,可以显示和分析文件,并导出到XEL或CSV文件或表格。The merged file opens in SSMS,where you can view and analyze it,as well as export it to an XEL or CSV file,or to a table.

从SSMS的菜单中选择[文件][打开][合并审计文件]。From the SSMS menu,select File Open Merge Audit Files.

[添加审计文件]对话框。选择The Add Audit Files dialog box opens.[追加]选项,从本地磁盘合并审计文件,或者从Azure Storage导入。Select one of the Add options to choose whether to merge audit files from a local disk or import them from Azure Storage.Microsoft Azure Storage的详细帐号。You are required to provide your Azure Storage details and account key.

添加所有要合并的文件后,点击[OK]完成合并操作。After all files to merge have been added,click OK to complete the merge operation.

在SSMS上打开合并的文件,可以显示和分析文件,并导出到XEL或CSV文件或表格。The merged file opens in SSMS,where you can view and analyze it,as well as export it to an XEL or CSV file,or to a table.

使用Power BI。您可以在Use Power BI.Power BI中显示和分析审计日志数据。关于You can view and analyze audit log data in Power BI.可下载的模板的详细情况和对模板的访问,请参照Power BI的审计日志数据的分析相关的页面。For more information and to access a downloadable template,see Analyze audit log data in Power BI.

通过门户或Azure存储探险家等工具,从Azure Storage BLOB集装箱下载日志文件。Download log files from your Azure Storage blob container via the portal or by using a tool such as Azure Storage Explorer.

其他方法:Additional methods:

下载包含多个文件或日志文件的子文件夹后,可以根据上述SMS审计文件的合并指示本地合并。After downloading several files or a subfolder that contains log files,you can merge them locally as described in the SSMS Merge Audit Files instructions described prevrevevrevevrevevrevrev Audge Audit Files instructructions instructions desdesdesdescriously

用程序显示BLOB审计日志。View blob auditing logs programmatically:

下载包含多个文件或日志文件的子文件夹后,可以根据上述SMS审计文件的合并指示本地合并。After downloading several files or a subfolder that contains log files,you can merge them locally as described in the SSMS Merge Audit Files instructions described prevrevevrevevrevevrevrev Audge Audit Files instructructions instructions desdesdesdescriously

用程序显示BLOB审计日志。View blob auditing logs programmatically:

运用方法Production practices

geo对应复制数据库的审计Auditing geo-replicated databases

在Geo复制数据库中,如果启用对主数据库的审核,则对副数据库也应用相同的审计策略。With geo-replicated databases,when you enable auditing on the primary database the secondary database will have an identical auditing policy.与主要数据库分开,在辅服务器有审计权服务器有审计权.与主要数据库不同的是,在辅助服务器服务器有审计权。选中此选项可为辅数据库设置审核。It is also possible to set up auditing on the secondary database by enabling auditing on the secondary server,independently from the primary database.

审计必须在“主数据库”中启用,而不是服务器。Auditing must be enabled on the primary database itself,not the server.

在主数据库中启用“审计”后,在“辅数据库”中也启用。After auditing is enabled on the primary database,it will also become enabled on the secondary database.

重要

在数据库级别的审计中,由于第二数据库的存储设置与主数据库相同,所以在版本中还将发生业务。With datatabase-level auditing,the storage settings for the secondary database will be identical to those of the primary database,causing cross-regional traffic.服务器水平的等级的fafffic.服务器水平的等级的水平的se willll be willl be ideidentidentical tidentical to those tho建议只启用审计,并在所有数据库中禁用数据库级别的审计。。We recommend that you enable only server-level auditing,and leave the database-level auditing disabled for all databases.

审计必须在“主数据库”中启用,而不是服务器。Auditing must be enabled on the primary database itself,not the server.

在主数据库中启用“审计”后,在“辅数据库”中也启用。After auditing is enabled on the primary database,it will also become enabled on the secondary database.

重要

在数据库级别的审计中,由于第二数据库的存储设置与主数据库相同,所以在版本中还将发生业务。With datatabase-level auditing,the storage settings for the secondary database will be identical to those of the primary database,causing cross-regional traffic.服务器水平的等级的fafffic.服务器水平的等级的水平的se willll be willl be ideidentidentical tidentical to those tho建议只启用审计,并在所有数据库中禁用数据库级别的审计。。We recommend that you enable only server-level auditing,and leave the database-level auditing disabled for all databases.

存储键的再生成Storage key regeneration

[详细容量]打开。Open Storage Details.[存储访问密钥]框中[辅助]单击[OK]。In the Storage Access Key box,select Secondary,and click OK.其次,单击监查构成页的上部[保存]。Then click Save at the top of the auditing configuration page.

移动到存储配置页面,并播放主访问密钥。Go to the storage configuration page and regenerate the primary access key.

返回监查构成页面,将[存储访问键]从[辅助]切换到[主要]单击[OK]。Go back to the auditing configuration page,switch the storage acccess key from secondary to primary,and then click OK.然后点击监查构成页的上部[保存]。Then click Save at the top of the auditing configuration page.

返回存储配置页面,并重新生成第二个访问密钥(作为下一个密钥更新周期的准备)Go back to the storage configuration page and regenerate the secondary access key(in preparation for the next key's refresh cycle).

[详细容量]打开。Open Storage Details.[存储访问密钥]框中[辅助]单击[OK]。In the Storage Access Key box,select Secondary,and click OK.其次,单击监查构成页的上部[保存]。Then click Save at the top of the auditing configuration page.

移动到存储配置页面,并播放主访问密钥。Go to the storage configuration page and regenerate the primary access key.

返回监查构成页面,将[存储访问键]从[辅助]切换到[主要]单击[OK]。Go back to the auditing configuration page,switch the storage acccess key from secondary to primary,and then click OK.然后点击监查构成页的上部[保存]。Then click Save at the top of the auditing configuration page.

返回存储配置页面,并重新生成第二个访问密钥(作为下一个密钥更新周期的准备)Go back to the storage configuration page and regenerate the secondary access key(in preparation for the next key's refresh cycle).

附加信息Additional Information

关于日志格式、存储文件夹的层次和命名规则的细节,请参照BLOB审计日志形式的参考文档。For details about the log format,hierarchy of the storage folder and naming conventions,see the Blob Audit Log Format Reference.

重要

在Azure SQL Database Audit中,在审计记录的字符串字段中存储4000字符的数据。Azure SQL Database Audit stores 4000 characters of data for character fields in an audit record.从可监查的动作返回的statement或datatata_sensitivity_information值中包含超过4000字符时,最初的.4,000字符之后的所有数据都被截断、审计。嗯。When the statement or the data_sensititivity_information values returned from an auditatitable action contain more than 4000 characters,any data beyond the first 4000 characters,any data beyond the first 4000 chararacters ssstharst 4000 charaters,any data beyondata beyond the fwill be truncated and not audited.

审计日志被写入Azure辅助脚本Azure Blob Storage内的追加BLOB。Audit logs are written to Append Blobs in an Azure Blob storage on your Azure subscription:

预定的审计策略包括所有动作和下一组动作。这除了对数据库运行的所有查询和存储过程外,还将监测成功和失败的登录。The default auditing policy includes all actions and the following set of action groups,which will audit all the queries and stored stored procedures executed against the the the sthe sthe sthe sthe sthe stred stored stored stored proceduredures edatabase,as well as successful and failed logins:

BATCH_COMPLETED_GROUPBATCH_COMPLETED_GROUPSUCCESSFUL_DATABASE_AUTHENTICATION_GROUPSUCCESFUL_DATABASE_AUTHENTICATION_GROUPFAILED_DATHENTICATION_GROUPFAILED_DATHENTHENTHENTION_AUTHENTION_GROUPSFAILETABASE_AUTHENTICATION_GROUPFAILED_DATABASE_AUTHENTICATION_GROUP

正如在“使用Azure PowerShell管理SQL Database的审计”部分中所描述的,可以使用PowerShell来构成各种动作和动作组的审计。You can configure auditing for different types of actions and action groups using PowerShell,as described in the Manage SQL database auditise using Azure PowerShell section.

如果使用AAD认证,失败登录的记录将显示在SQL审计日志“否”。为了显示When using AAD Authentication,failed logins records will not appear in the SQL audit log.失败登录的监查记录,需要登录这些事件的详细内容Azure Active Directory门户访问。To view failed login audit records,you need to visit the Azure Active Directory portal,which logs details of these events.

Azure SQL Database审计已被优化为可用性和性能。Azure SQL Database auditing is optimized for availability&performance.执行非常负荷高的活动时,Azure SQL Database可能无法记录一部分审计活动,以便允许继续操作。During very high activity Azure SQL Database allows operations to proced and may not record some audited events.

重要

在保留基于时间的情况下,您只能在下一个版本中使用并显示对受保护的添加BLOB的写入许可。The allow protected append blobs writes setting under time-based retention is currently available and visible only in the following regions:

使用Azure PowerShel管理Azure SQL Server和数据库的审计的Manage Azure SQL Server and Database auditing using Azure PowerShel

PowerShell命令红色(WHERE通过句子的支持强化过滤):PowerShell cmdlets(including WHERE clause support for additional filtering):

关于脚本的例子,请参照使用了PowerShell的监查和有关威胁检测的构成的页面。For a script example,see Configure auditing and threat detection using PowerShel.

使用REST API管理Azure SQL Server及数据库的审计的Manage Azure SQL Server and Database auditing using REST API

REST API:REST API:

WHERE通过句子的支持强化了滤波的扩展策略:Extended policy with WHERE clause support for additional filtering:

注意

链接样本位于外部公众仓库,无需担保“无需修改”提供,而不是微软支持程序/服务的支持对象。The linked samples are on an external public repository and are provided'as is',without warranty,and are not supported under any Microsoft suppport program/servided under under any Micrososoft suppport supppport program srogram/servid servid servidice

推荐的内容

反馈,反馈

© 2023