Greetings. I have a very simple Azure SQL DB audit that works exactly as expected... then stops overnight for some reason.
So I can define my audit and confirm that it's set correctly:
Set-AzSqlServerAudit -ResourceGroupName "myRG" -ServerName "myServer" -AuditActionGroup "FAILED_DATABASE_AUTHENTICATION_GROUP"
Get-AzSqlServerAudit -ResourceGroupName "myRG" -ServerName "myServer"
AuditActionGroup : {FAILED_DATABASE_AUTHENTICATION_GROUP}
PredicateExpression :
StorageKeyType : Primary
RetentionInDays : 7
ResourceGroupName : myRG
ServerName : myServer
BlobStorageTargetState : Enabled
StorageAccountResourceId : /subscriptions/myResourceID/resourceGroups/myRG/providers/Microsoft.Storage/storageAccounts/myStorageAcct
EventHubTargetState : Disabled
EventHubName :
EventHubAuthorizationRuleResourceId :
LogAnalyticsTargetState : Disabled
WorkspaceResourceId :
I then do some testing by intentionally failing some login attempts, and see them in the azure portal database/ auditing/ view audit logs tab as I would expect.
All is well, until I come in the next day and intentionally fail some login attempts, and no new entries make it into the log. I have confirmed this twice now.
I can jump start this thing to get it going again by simply rerunning the "Set-AzSqlServerAudit" command, but obviously that shouldn't be required.
Why does this guy stop working overnight?