Azure SQL Server and Database audit logs empty

Question

Azure SQL Server and Database audit logs empty

Timothy Palmer 0

I've got an Azure SQL Server with 1 Azure SQL Database (small size, serverless).

I'm wanting to assess auditing to log Analytics workspace for easier interrogation. I've configured auditing at the SQL Server level and ticked the option for logging to the Log Analytics workspace and pointed it at a (new) LogAnalytics workspace I had already created. I'm not logging to Azure storage or Event Hub - just LogAnalytics.

I've generated some activity on my database and yet there is nothing showing in the audit records or when I try an explore it in the LogAnalytics workspace.

For good measure at the database level I turned on auditing there too and pointed at the LogAnalytics workspace (although as I understand auditing setting is inherited from the server level setting). Made no difference.

I feel like I'm missing something super obvious here - just don't know what!?

Thanks

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2023-09-29T17:29:18.9333333+00:00

@Timothy Palmer

I wanted to follow on the below comment. Could you please reply back with the status of the issue.

Regards,

Oury
Timothy Palmer 0 Reputation points

2023-10-02T07:42:13.17+00:00

Thanks for the reply Oury. No idea what has been going on here but at 2243 on the day I posted this, it seems the Log Analytics workspace has now been ingesting events. Just fired up SSMS ran a few statements and they are instantly there , as I'd expect, in my Log Analytics workspace. Great that its working but unexpected that It took several hours for events to start surfacing in the the audit.
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2023-10-02T17:01:15.73+00:00

Timothy Palmer

Thank you for letting us know. I am glad you are seeing some data now.

Regards,

Oury

1 answer

Your answer

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2023-09-29T17:29:18.9333333+00:00

@Timothy Palmer

I wanted to follow on the below comment. Could you please reply back with the status of the issue.

Regards,

Oury
Timothy Palmer 0 Reputation points

2023-10-02T07:42:13.17+00:00

Thanks for the reply Oury. No idea what has been going on here but at 2243 on the day I posted this, it seems the Log Analytics workspace has now been ingesting events. Just fired up SSMS ran a few statements and they are instantly there , as I'd expect, in my Log Analytics workspace. Great that its working but unexpected that It took several hours for events to start surfacing in the the audit.
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2023-10-02T17:01:15.73+00:00

Timothy Palmer

Thank you for letting us know. I am glad you are seeing some data now.

Regards,

Oury

Answer 1

@Timothy Palmer Thank you for reaching out and sorry to hear about this issue.

It seems like you have configured auditing at the SQL Server level and also database level and pointed it to a Log Analytics workspace which is so far correct. However, you are not seeing any audit records in the workspace even after generating some activity on your database.

It should work if your database is not paused and have some recent activities.

https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-analyze-audit-logs?view=azuresql

You can try running some queries in the Log Analytics workspace to see if the data is being stored correctly. Here is an example query that you can use to retrieve audit logs:

AzureDiagnostics
| where Category == "SQLSecurityAuditEvents"

I would also suggest checking on your permissions.

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#azure-rbac

Please let me know the result.

Regards,

Oury

Share via

Azure SQL Server and Database audit logs empty

1 answer

Your answer