when run a query to extract last 2 hours data, it will take over 2 hours to run the SQL. its really time consuming
The audit log is stored on disk as a kinf of text file and if it's large, query on a text file can take some time.
enable audit logs databases query supper slow(sys.fn_get_audit_file)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 42%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Ashwan
536
Reputation points
hi we have sql server 2016 sp3 ,and enabled audits
- SERVER AUDIT [Audit_]
CREATE SERVER AUDIT [Audit_01]
TO FILE
( FILEPATH = N'C:\Audit'
,MAXSIZE = 10 GB
,MAX_FILES = 100
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = CONTINUE
)
- enabled audit
- CREATE SERVER AUDIT SPECIFICATION
- USE USER_DATA
go
CREATE DATABASE AUDIT SPECIFICATION
We have done server level and DB level auditing
Plan is to load the data into custom table where can extract data quicky when we need data.
there are multiple files created in the folder xxx.sqlaudit .
when run a query to extract last 2 hours data, it will take over 2 hours to run the SQL. its really time consuming
Question: any any one knows how to speed up and at least get the data. this is look like not practical audit solution from Microsoft ? any one have same issue?
SELECT
CONVERT(datetime,
SWITCHOFFSET(CONVERT(datetimeoffset, event_time),
DATENAME(TzOffset, SYSDATETIMEOFFSET())))
AS
event_time
,server_instance_name,action_id,class_type,sequence_number,succeeded,permission_bitmask,is_column_permission,session_id,server_principal_sid,server_principal_name,database_principal_id ,session_server_principal_name,* FROM sys.fn_get_audit_file ('C:\Audit\Audit_*.sqlaudit',default,default)
where CONVERT(datetime,
SWITCHOFFSET(CONVERT(datetimeoffset, event_time),
DATENAME(TzOffset, SYSDATETIMEOFFSET()))) >= DATEADD(Hour, -2, GETDATE())
SQL Server | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-06-23T07:06:02.89+00:00 Hi @Ashwan
We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.
-
Anonymous
2023-06-30T08:24:21.2866667+00:00 Hi @Ashwan
We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.
Sign in to comment
1 answer
Sort by: Most helpful
-
Olaf Helper 47,581 Reputation points2023-06-14T05:10:26.76+00:00 -
Ashwan 536 Reputation points
2023-06-14T23:51:26.82+00:00 it get large obviously for large transactional system. not sure why MS has designed a solution which will not work in practically for customers
Sign in to comment -