SQL Audit on Azure SQL Managed Instance - Retention Days?

Question

SQL Audit on Azure SQL Managed Instance - Retention Days?

Mark Gordon 926

Fellow DBA's

I have been using SQL Audit for years on-premise.

Moving to cloud. Since the SQL Audit will use blob with a URL Path, and we no longer user number of files as well as rollover count, I do not understand how to interpret Retention Days.

1 - Is Retention Days how long it keeps an audit record in the blob?

2 - Or is it how long the audit capture file with be kept on the blob?

3 - or??????

Thanks

MG

1 answer

Your answer

Answer 1

Hi Mark Gordon •,

Welcome to Microsoft Q&A forum and thanks for using Azure Services.

As I understand, you want to know Retention Days in Azure SQL Managed Instance.

Could you please confirm if the question is about Azure SQL Database or Azure SQL Managed Instance?

If it is related to Azure SQL Database then please refer to the documentation here: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-setup?view=azuresql

where you can set up days as shown below:

Screenshot that shows storage account authentication types for Auditing.

If it is Azure SQL Managed Instance, then please refer to https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql

Screenshot showing the SAS configuration.

Audit differences between databases in Azure SQL Managed Instance and databases in SQL Server

The key differences between auditing in databases in Azure SQL Managed Instance and databases in SQL Server are:

With Azure SQL Managed Instance, auditing works at the server level and stores .xel log files in Azure Blob storage.
In SQL Server, audit works at the server level, but stores events in the file system and Windows event logs.

XEvent auditing in managed instances supports Azure Blob storage targets. File and Windows logs are not supported.

The key differences in the CREATE AUDIT syntax for auditing to Azure Blob storage are:

A new syntax TO URL is provided and enables you to specify the URL of the Azure Blob storage container where the .xel files are placed.
A new syntax TO EXTERNAL MONITOR is provided to enable Event Hubs and Azure Monitor log targets.
The syntax TO FILE is not supported because Azure SQL Managed Instance can't access Windows file shares.
Shutdown option is not supported.
queue_delay of 0 is not supported.

Let us know if this information helped. If not, please let us know more on the details of the question so that we can assist you.

Thanks

Mark Gordon 926 Reputation points

2023-09-07T11:11:01.74+00:00

Hi Shaksti,

This question is about Azure SQL Managed Instance.

1 - Is there one file that has the audited actions in it or does it make one file for each audited action?

2 - I need to know exactly what retention days means. Is Retention Days how long it keeps the blob .xel files?
SSingh-MSFT 16,461 Reputation points Moderator

2023-09-07T11:18:43.6666667+00:00

Hi Mark Gordon,

Kindly raise support case for better assistance for your scenario.

Share details with the support case about what you performed and how and where you are stuck.

Thank you.
Mark Gordon 926 Reputation points

2023-09-07T11:50:08.7766667+00:00

So, I assume there is a charge for a support ticket?
SSingh-MSFT 16,461 Reputation points Moderator

2023-09-08T04:39:10.5666667+00:00

Hi Mark Gordon,

Could you send an email to AzCommunity@Microsoft.com with your Subscription ID and thread link to this post, and I will enable a one-time free support request for your subscription.

Please reference this forum thread in the subject:

ATTN: SHAKTI - SQL Audit on Azure SQL Managed Instance - Retention Days

Regards,

@SSingh-MSFT

Share via

SQL Audit on Azure SQL Managed Instance - Retention Days?

1 answer

Your answer