Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
Azure Sentinel - SQL Audit
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Eduards
791
Reputation points
Hello,
Recently i configure SQL Audit and audit server specifications to collect SQL logs and send it to Application.
Also i installed MMA agent on SQL server and configured that Event Viewer -> Application logs (MSSQLSERVER) will be delivered to Azure Sentinel.
But when i configured SQL Audit with Queue delay (43200000 miliseconds = 12 h) it's still runs audit once a 1 minute and i receive a lots of logs.. and all this logs are collected in Azure Sentinel..
Why SQL Audit Queue delay is not working properly??
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 36,866 Reputation points Microsoft Employee2021-01-07T00:25:41.583+00:00 My suspicion is that Sentinel keeps logging regardless of that setting, but I've reached out to someone from the Sentinel team to confirm. Are all of the logs recent? Is it for all computers or just some?
-
Eduards 791 Reputation points
2021-01-07T07:16:18.343+00:00 Hello @MarileeTurscak
I have 2 SQL servers which have MMA agent installed.
In Azure Security Event are configured like this.
in Log Analytics Workspace Application log are added.
I configure SQL Audit to log all data in Event Viewer -> Application and delay is 12 hours.
After i add to audit this data
And when i enable audit and audit server specifications i receive a lot of SQL logs all information logs and they are sent to Azure sentinel.
After my test, after 10 minutes of logging SQL events to Azure sentinel i receive:
52300 event in 10 minutes? It's not normal.
Sign in to comment
Sign in to answer